Research Proposal: An Intrusion Detection System Alert Reduction and Assessment Framework Based on Data Mining
Karim Al-Saedi, Selvakumar Manickam, Sureswaran Ramadass, Wafaa Al-Salihy and Ammar ALmomani
DOI : 10.3844/jcssp.2013.421.426
Journal of Computer Science
Volume 9, Issue 4
The Intrusion Detection System (IDS) generates huge amounts of alerts that are mostly false positives. The abundance of false positive alerts makes it difficult for the security analyst to identify successful attacks and to take remedial actions. Such alerts to have not been classified in accordance with their degree of threats. They further need to be processed to ascertain the most serious alerts and the time of the reaction response. They may take a long time and considerable space to discuss thoroughly. Each IDS generates a huge amount of alerts where most of them are real while the others are not (i.e., false alert) or are redundant alerts. The false alerts create a serious problem for intrusion detection systems. Alerts are defined based on source/destination IP and source/destination ports. However, one cannot know which of those IP/ports bring a threat to the network. The IDSs’ alerts are not classified depending on their degree of the threat. It is difficult for the security analyst to identify attacks and take remedial action for this threat. So it is necessary to assist in categorizing the degree of the threat, by using data mining techniques. The proposed framework for proposal is IDS Alert Reduction and Assessment Based on Data Mining (ARADMF). The proposed framework contains three systems: Traffic data retrieval and collection mechanism system, reduction IDS alert processes system and threat score process of IDS alert system. The traffic data retrieval and collection mechanism systems develops a mechanism to save IDS alerts, extract the standard features as intrusion detection message exchange format and save them in DB file (CSV-type). It contains the Intrusion Detection Message Exchange Format (IDMEF) which works as procurement alerts and field reduction is used as data standardization to make the format of alert as standard as possible. As for Feature Extraction (FE) system, it is designed to extract the features of alert by using a gain information algorithm, which gives a rank for every feature to facilitate the selection of the feature with the highest rank. The main function of reduction IDS alert processes system is to remove duplicate IDS alerts and reduces the amount of false alerts based on a new aggregation algorithm. It consists of three phases. The first phase removes redundant alerts. The second phase reduces false alerts based on threshold time value and the last phase reduces false alerts based on rules with a threshold common vulnerabilities and exposure value. Threat score process of IDS alert system is characterized by using a proposed adaptive Apriori algorithm, which has been modified to work with multi features, i.e., items and automated classification of alerts according to their threat’s scores. The expected result of his proposed will be decreasing the number of false positive alert with rate expected 90% and increasing the level of accuracy compared with other approaches. The reasons behind using ARADMF are to reduce the false IDS alerts and to assess them to examine the threat score of IDS alert, that is will be effort to increase the efficiency and accuracy of network security.
© 2013 Karim Al-Saedi, Selvakumar Manickam, Sureswaran Ramadass, Wafaa Al-Salihy and Ammar ALmomani. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.