Data mining and machine learning - Towards reducing false positives in intrusion detection

Intrusion Detection Systems (IDSs) are used to monitor computer systems for signs of security violations. Having detected such signs, IDSs trigger alerts to report them. These alerts are presented to a human analyst, who evaluates them and initiates an adequate response. In practice, IDSs have been observed to trigger thousands of alerts per day, most of which are mistakenly triggered by benign events (i.e., false positives). This makes it extremely difficult for the analyst to correctly identify alerts related to attacks (i.e., true positives). In this paper we present two orthogonal and complementary approaches to reduce the number of false positives in intrusion detection using alert postprocessing by data mining and machine learning. Moreover, these two techniques, because of their complementary nature, can be used together in an alert-management system. These concepts have been verified on a variety of data sets, and achieved a significant reduction of the number of false positives in both simulated and real environments.