[26 May 2014] A bachelor student at RTSLAB was awarded the best thesis
award from IDA - Simon Andersson. more ...
[31 May 2012] A masters student at RTSLAB was awarded the best thesis
award from IDA - Ulf Magnusson. more ...
[27 February 2008] A masters student at RTSLAB was awarded the best thesis
award from IDA - Johan Sigholm. more ...
[03 March 2004] A masters student at RTSLAB was awarded the best thesis
award from IDA - Tobias Chyssler. more ...
[01 Jul 2003] For second year in a row a masters student at RTSLAB was awarded the best thesis
award from SNART - Mehdi Amirijoo. more ...
Master Thesis - Past Projects - Abstract
Reducing False Alarm Rates in Intrusion Detection Systems
An indispensable component within computer security today is an
intrusion detection system (IDS). An IDS is a software or hardware
system that monitors the events occurring in a computer system or
network for signs of intrusion. Current intrusion detection systems have
high false alarm rate, sometimes in the range of 90%. The result is a
massive information overload imposed on the operator. In this thesis I
will show how to reduce the information overload and increase the
coverage of IDSs by filtering, aggregating and correlating alarms from
several IDSs (Snort, Syslog and Samhain). The methods are tested against
generated data and show that filtering and aggregation reduces the
number of alarms by 97.4%. The correlation implementations can in turn
be treated as an IDS. It has detection rates ranging from 50% to 90%
with false positive (false alarm) rates ranging from 15% down to 0.1%. A
classical intrusion detection result is observed; when an increase in
the detection rate is wanted, the false positive rate will also rise.
Unforeseen misconfigurations in the system can generate a lot of alarms
that will disturb the detection process. To make the process more
robust, two methods for automatic detection of alarms generated due to
misconfigurations are proposed and tested.
Using the experience gathered during the work with the thesis, a generic
architecture for reducing false alarm rates in IDSs is proposed.
Keywords: Intrusion detection, alarm reduction, correlation
Author(s): Tobias Chyssler
Contact: Simin Nadjm-Tehrani
Click here to return.