False positive reduction through IDS network awareness

Abstract

The common intrusion detection system is unable to determine the relevance of the alerts it generates because it lacks network and context awareness. A prototype was developed with the purpose of reducing the amount of false positives found in these systems. The prototype has the ability to determine the relevance of each alert by investigating the alert’s vulnerability information and the target’s host information. Challenges with passive fingerprinting of hosts behind Network Address Translation and in dynamic networks were also discussed and solved. Testing on real network traffic indicated that the prototypewas successful in correctly categorizing a variety of alerts by assigning scores to each alert. This way the alerts can be ordered by their likeliness of being true positives, and the number of alerts that the system administrator has to investigate is reduced to a manageable size.