Aplicación de Criterios Cuantitativos en la Correlación de Alertas de NIDS Basados en Anomalías (Quantitative Criteria for Alert Correlation of Anomalies-based NIDS)

Jorge Maestre Vidal (jmaestre@ucm.es)1, Ana Lucila Sandoval Orozco (asandoval@fdi.ucm.es)1, Luis Javier García Villalba (javiergv@fdi.ucm.es)1

1Universidad Complutense de Madrid

This paper appears in: Revista IEEE América Latina

Publication Date: Oct. 2015
Volume: 13,   Issue: 10 
ISSN: 1548-0992

This paper presents an alert correlation system for mitigating the false positives problem on network-based intrusion detection, when anomalous detection techniques are applied. The system allows the quantitative assessment of the likelihood that an alert issued because an anomaly becomes a real threat. To do this the differences between the characteristics of the model representing the habitual and legitimate network usage are taken into account, as well as the most representative features of the traffic that generated the alert. The result is a quantitative assessment of its similarity to the network legitimate usage, and the prioritization of the issued alerts. Experiments have demonstrated the validity of the proposal. The 95.7% of the false positives were labeled as low priority treatment alerts, and the various real threats were properly identified.

Index Terms:
Anomalies, Alert Correlation, False Positives, IDS, NIDS, Intrusion Detection System, Network-based Intrusion Detection System.   

Documents that cite this document
This function is not implemented yet.

[PDF Full-Text (1320)]