Alert prioritization in Intrusion Detection Systems

Khalid Alsubhi; Ehab Al-Shaer; Raouf Boutaba

doi:10.1109/NOMS.2008.4575114

Alert prioritization in Intrusion Detection Systems

Khalid Alsubhi^*, Ehab Al-Shaer, Raouf Boutaba

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

49 Scopus citations

Abstract

Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS(1). In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented.

Original language	English
Title of host publication	NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium
Subtitle of host publication	Pervasive Management for Ubiquitous Networks and Services
Pages	33-40
Number of pages	8
DOIs	https://doi.org/10.1109/NOMS.2008.4575114
State	Published - 2008
Externally published	Yes
Event	NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services - Salvador - Bahia, Brazil Duration: 7 Apr 2008 → 11 Apr 2008

Publication series

Name	NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services

Conference

Conference	NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services
Country/Territory	Brazil
City	Salvador - Bahia
Period	7/04/08 → 11/04/08

Keywords

Alert management
Alert prioritization

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems

Access to Document

10.1109/NOMS.2008.4575114

Cite this

Alsubhi, K., Al-Shaer, E., & Boutaba, R. (2008). Alert prioritization in Intrusion Detection Systems. In NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services (pp. 33-40). Article 4575114 (NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services). https://doi.org/10.1109/NOMS.2008.4575114

Alsubhi, Khalid ; Al-Shaer, Ehab ; Boutaba, Raouf. / Alert prioritization in Intrusion Detection Systems. NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services. 2008. pp. 33-40 (NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services).

@inproceedings{b7bd1de386c94865b1f03bf385cf6503,

title = "Alert prioritization in Intrusion Detection Systems",

abstract = "Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS(1). In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented.",

keywords = "Alert management, Alert prioritization",

author = "Khalid Alsubhi and Ehab Al-Shaer and Raouf Boutaba",

year = "2008",

doi = "10.1109/NOMS.2008.4575114",

language = "English",

isbn = "9781424420667",

series = "NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services",

pages = "33--40",

booktitle = "NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium",

note = "NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services ; Conference date: 07-04-2008 Through 11-04-2008",

}

Alsubhi, K, Al-Shaer, E & Boutaba, R 2008, Alert prioritization in Intrusion Detection Systems. in NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services., 4575114, NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services, pp. 33-40, NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services, Salvador - Bahia, Brazil, 7/04/08. https://doi.org/10.1109/NOMS.2008.4575114

Alert prioritization in Intrusion Detection Systems. / Alsubhi, Khalid; Al-Shaer, Ehab; Boutaba, Raouf.
NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services. 2008. p. 33-40 4575114 (NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Alert prioritization in Intrusion Detection Systems

AU - Alsubhi, Khalid

AU - Al-Shaer, Ehab

AU - Boutaba, Raouf

PY - 2008

Y1 - 2008

N2 - Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS(1). In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented.

AB - Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS(1). In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented.

KW - Alert management

KW - Alert prioritization

UR - http://www.scopus.com/inward/record.url?scp=51849167357&partnerID=8YFLogxK

U2 - 10.1109/NOMS.2008.4575114

DO - 10.1109/NOMS.2008.4575114

M3 - Conference contribution

AN - SCOPUS:51849167357

SN - 9781424420667

T3 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services

SP - 33

EP - 40

BT - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium

T2 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services

Y2 - 7 April 2008 through 11 April 2008

ER -

Alsubhi K, Al-Shaer E, Boutaba R. Alert prioritization in Intrusion Detection Systems. In NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services. 2008. p. 33-40. 4575114. (NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services). doi: 10.1109/NOMS.2008.4575114

Alert prioritization in Intrusion Detection Systems

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this