Browse Prior Art Database

System and Method for Adaptive Automatic Classification of Intrusion Detection Events

IP.com Disclosure Number: IPCOM000020107D
Original Publication Date: 2003-Oct-27
Included in the Prior Art Database: 2003-Oct-27

Publishing Venue

IBM

Abstract

Intrusion Detection Systems (IDSs) generate an abundance of redundant as well as false alerts, which makes the identification of real security threats difficult. Security analysts spend considerable amount of time trying to achieve it. The system is a software agent that observes the analysts, as they manually classify and respond to alerts, and builds an alert classifier using machine learning techniques. The system tries to automatically classify each new alert and reduce analyst's workload. Being aware of its own limitations, it assesses the confidence of its classification. Alerts classified with high confidence can be handled automatically, while the others are passed back to the analyst. The system is adaptive. Based on its current performance, it dynamically updates its classification model and the confidence values.