System and Method for Adaptive Automatic Classification of Intrusion Detection Events
Original Publication Date: 2003-Oct-27
Included in the Prior Art Database: 2003-Oct-27
Intrusion Detection Systems (IDSs) generate an abundance of redundant as well as false alerts, which makes the identification of real security threats difficult. Security analysts spend considerable amount of time trying to achieve it. The system is a software agent that observes the analysts, as they manually classify and respond to alerts, and builds an alert classifier using machine learning techniques. The system tries to automatically classify each new alert and reduce analyst's workload. Being aware of its own limitations, it assesses the confidence of its classification. Alerts classified with high confidence can be handled automatically, while the others are passed back to the analyst. The system is adaptive. Based on its current performance, it dynamically updates its classification model and the confidence values.