Al-Saedi, Karim Hashim Kraidi
(2013)
A False Alert Reduction And An Alert Score Assessment Framework For Intrusion Alerts.
PhD thesis, Universiti Sains Malaysia.
Abstract
The Alert Detection Engine (ADE) is a powerful network security system that is used to secure computer networks. ADE can detect security breaches which other forms of security measures unable to uncover. Yet, it still suffers from the problem of generating huge amounts of alerts that are mostly false positives. Each ADE generates a large number of alerts, where some are real and the others are not (i.e. false or redundant alert). Consequently, this increases the ambiguity among the decision makers as they conduct assessments of alerts. In particular, real alerts of ADE are not classified based on the magnitude of the threat they pose. Therefore, it is difficult for the security analyst to identify attacks and take remedial action against their threats, making it necessary to categorize the magnitude of each threat. For this reason, it becomes necessary to categorize the degrees of threat using data mining techniques, especially where huge data are involved. Several reduction and assessment approaches have been proposed to solve these problems; however, they unable to address many other problems related to ADE.
This thesis proposes a new framework called A False Alert Reduction and an Alert Score Assessment Framework for Intrusion Alerts. The objectives of using this framework are to reduce the false alerts and to assess such alerts and examine their threat scores. This work aims to provide a full understanding of the network attacks as well as ease the process for the analysts and save their time. Framework is a standalone system that can work online and offline. It combines the following algorithms: the first algorithm is New Alert Reduction (NAR) algorithm to remove the redundancy from the alert’s file and reduce the false positives.
Actions (login required)
 |
View Item |
