Master Thesis - Past Projects - Abstract

Reducing False Alarm Rates in Intrusion Detection Systems

ID: LiTH-IDA-Ex-03/067-SE

An indispensable component within computer security today is an intrusion detection system (IDS). An IDS is a software or hardware system that monitors the events occurring in a computer system or network for signs of intrusion. Current intrusion detection systems have high false alarm rate, sometimes in the range of 90%. The result is a massive information overload imposed on the operator. In this thesis I will show how to reduce the information overload and increase the coverage of IDSs by filtering, aggregating and correlating alarms from several IDSs (Snort, Syslog and Samhain). The methods are tested against generated data and show that filtering and aggregation reduces the number of alarms by 97.4%. The correlation implementations can in turn be treated as an IDS. It has detection rates ranging from 50% to 90% with false positive (false alarm) rates ranging from 15% down to 0.1%. A classical intrusion detection result is observed; when an increase in the detection rate is wanted, the false positive rate will also rise. Unforeseen misconfigurations in the system can generate a lot of alarms that will disturb the detection process. To make the process more robust, two methods for automatic detection of alarms generated due to misconfigurations are proposed and tested. Using the experience gathered during the work with the thesis, a generic architecture for reducing false alarm rates in IDSs is proposed.

Keywords: Intrusion detection, alarm reduction, correlation

Author(s): Tobias Chyssler

Contact: Simin Nadjm-Tehrani