A test of intrusion alert filtering based on network information

Intrusion detection systems continue to be a promising security technology. The arguably biggest problem with today’s intrusion detection systems is the sheer number of alerts they produce for events that are regarded as benign or non-critical by system administrators. A plethora of more and less complex solutions has been proposed to filter the relevant (i.e., correct) alerts that signature based intrusion detection sensors produce. This paper reports on a test performed to test a number of filtering alternatives that take advantage of information about static properties of the monitored computer network, such as vulnerabilities and exposure of ports and hosts. The results show that none of the filters are able to maintain a high recall (portion of detected attacks) while increasing the precision (portion of relevant alerts). At most, precision increased from 1.4 percent to 2.9 percent, and this also resulted in a decrease in recall from 44 percent to 26 percent. Even when combined in an exploratory fashion the filters fail to provide improved precision. It is concluded that filters based on static properties of the computer network do not result in clear improvements to alert-lists produced by signature based intrusion detection systems.