Browse Prior Art Database

System and Method for Adaptive Automatic Classification of Intrusion Detection Events

IP.com Disclosure Number: IPCOM000020107D
Original Publication Date: 2003-Oct-27
Included in the Prior Art Database: 2003-Oct-27
Document File: 5 page(s) / 211K

Publishing Venue

IBM

Abstract

Intrusion Detection Systems (IDSs) generate an abundance of redundant as well as false alerts, which makes the identification of real security threats difficult. Security analysts spend considerable amount of time trying to achieve it. The system is a software agent that observes the analysts, as they manually classify and respond to alerts, and builds an alert classifier using machine learning techniques. The system tries to automatically classify each new alert and reduce analyst's workload. Being aware of its own limitations, it assesses the confidence of its classification. Alerts classified with high confidence can be handled automatically, while the others are passed back to the analyst. The system is adaptive. Based on its current performance, it dynamically updates its classification model and the confidence values.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 36% of the total text.

Page 1 of 5

System and Method for Adaptive Automatic Classification of Intrusion Detection Events

Problem Area

Intrusion Detection Systems (IDSs) generate an abundance of redundant as well as false alerts. As a consequence, it becomes extremely difficult for an IDS analyst to identify the real security threats.

Current Solutions

One solution, commonly known as alert correlation, groups alerts so that all alerts of the same group pertain to the same phenomenon (generally the same attack). Alert filtering, which is another widely deployed solution, uses filtering rules to discard false positives or to rank alerts by severity. Both solutions have the drawback that it is extremely difficult to obtain and maintain a knowledge base of good correlation or filtering rules. This proposal uses automatic classification mechanisms combined with continuous classification improvement (typically using techniques from machine learning) to alleviate this drawback.

Proposed Solution

It is proposed to build a software "agent" that observes the IDS analyst as she manually classifies alerts, sorts them into true positives and false positives, and responds to them. The proposed software agent incrementally learns the analyst's abilities. Moreover, the agent builds confidence in how well it can do the analyst's job by continuously optimizing the classification model based on the analyst input. After some training time, when the agent sees an alert that it feels confident to handle, it grabs the alert and handles it autonomously without involving the analyst. That reduces the analyst's workload. Alerts that the agent does not feel confident to handle are passed on to the analyst. Occasionally, the agent will randomly forward alerts to the analyst even though it feels confident to handle them autonomously. By observing the analyst's reaction to these alerts, the agent can then update the confidence it can have in its own decisions.

To mitigate the risk of erroneous agent decisions, one can configure the agent to have high confidence in all its actions. Additionally, before updating the model, one can introduce an additional step that involves manual inspection of the classification model that the agent has learned (e.g. a set of explicit rules) so that they are justifiably safe to apply.

Figure 1 shows the proposed solution for the simplest case where the agent learns to distinguish true and false positives. Not shown in the diagram is the fact that even when the agent is confident in its decision, it will occasionally forwarded alerts to the analyst so that it can check and potentially revise its confidence.

1

Page 2 of 5

Figure 1: Flow diagram showing the classification process for the simple case where a binary classification into "false positive" and "true positive" events is performed.

Generalized Embodiment

Figure 2 shows a generalized embodiment displayed as a Gane-Sarson Dataflow diagram. Below the process elements and data elements are detailed.

2

[This page...