LiU > IDA > Real-Time Systems Lab
ABOUT
MEMBERS
COOPERATION
PROJECTS
PUBLICATIONS
COURSES
OPEN POSITIONS
THESES
ALUMNI

Announcements

[26 May 2014] A bachelor student at RTSLAB was awarded the best thesis award from IDA - Simon Andersson. more ...

[31 May 2012] A masters student at RTSLAB was awarded the best thesis award from IDA - Ulf Magnusson. more ...

[27 February 2008] A masters student at RTSLAB was awarded the best thesis award from IDA - Johan Sigholm. more ...

[03 March 2004] A masters student at RTSLAB was awarded the best thesis award from IDA - Tobias Chyssler. more ...

[01 Jul 2003] For second year in a row a masters student at RTSLAB was awarded the best thesis award from SNART - Mehdi Amirijoo. more ...

Master Thesis - Past Projects - Abstract

Reducing False Alarm Rates in Intrusion Detection Systems

ID: LiTH-IDA-Ex-03/067-SE

An indispensable component within computer security today is an intrusion detection system (IDS). An IDS is a software or hardware system that monitors the events occurring in a computer system or network for signs of intrusion. Current intrusion detection systems have high false alarm rate, sometimes in the range of 90%. The result is a massive information overload imposed on the operator. In this thesis I will show how to reduce the information overload and increase the coverage of IDSs by filtering, aggregating and correlating alarms from several IDSs (Snort, Syslog and Samhain). The methods are tested against generated data and show that filtering and aggregation reduces the number of alarms by 97.4%. The correlation implementations can in turn be treated as an IDS. It has detection rates ranging from 50% to 90% with false positive (false alarm) rates ranging from 15% down to 0.1%. A classical intrusion detection result is observed; when an increase in the detection rate is wanted, the false positive rate will also rise. Unforeseen misconfigurations in the system can generate a lot of alarms that will disturb the detection process. To make the process more robust, two methods for automatic detection of alarms generated due to misconfigurations are proposed and tested. Using the experience gathered during the work with the thesis, a generic architecture for reducing false alarm rates in IDSs is proposed.

Keywords: Intrusion detection, alarm reduction, correlation

Author(s): Tobias Chyssler

Contact: Simin Nadjm-Tehrani

Click here to return.
Last modified September 2012. If you have questions or suggestions for the webpages, contact the webmaster