Alarm management for intrusion detection systems - Prioritizing and presenting alarms from intrusion detection systems

Sammanfattning: Intrusion detection systems (IDSs) are important tools helping the network andsystem administrators to detect intrusions, but have the drawback of many falsepositives. Due to increasing bandwidth, an IDS must process a vast amount ofdata, which results in an ever increasing amount of alarms. For a system administratorto be able to handle the alarms they must be aggregated, correlatedand ordered into a manageable form and presented in a way which is easy tooverview.In this thesis we study aggregation, correlation, filtering and ranking as methodsfor managing alarms from IDSs. We have implemented a ranking functionalityin the graphical user interface Snorby, a front end to the open source IDS Snort.Each alarm starts with a basic rank of 0 and the user is able to prioritize ordown prioritize the alarm by pressing either a ’+’ button or a ’-’ button, thusinfluencing its current rank. The rank is calculated from several features, i.e.source IP, destination IP, destination port and alarm signature.Based on our studies we suggest that ranking systems supported by user voteshave several advantages. First, they allow the user to dynamically change theway the IDS lists the alarms through a very simple means. Second, it shortensthe time required to locate the more important ones, thus reducing the likelihoodthat a serious attack will be missed.