Towards adaptive event prioritization for network security - ideas and challenges

In the network security domain Intrusion detection systems (IDS) are known for their problems in creating huge amounts of data and especially false positives. Several approaches, originating in the machine learning domain, have been proposed for a better classification. However, threat prioritization has also shown, that a distinction in true and false positives is not always sufficient for a profound security analysis. We therefore propose an approach to combine several aspects from those two areas. On the one hand, threat and event prioritization approaches are rather static with fixed calculation rules, whereas rule learning in alert verification focuses mostly on a binary classification and does not target rule parameters. In this paper we highlight specifics and challenges in event prioritization rules and describe first ideas and challenges towards solutions by the means of automatically learning these aspects.