HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs

Karim Tabia; Philippe Leray

doi:10.5220/0002949800140024

HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs

Karim Tabia, Philippe Leray

2010

Abstract

Probabilistic graphical models are very efficient modeling and reasoning tools. In this paper, we propose an efficient and novel Bayesian network model for a major problem in alert correlation which plays a crucial role in nowadays computer security. Indeed, the use of multiple intrusion detection systems (IDSs) and complementary approaches is fundamental to improve the overall detection rates. This however inevitably rises huge amounts of alerts most of which are redundant and false alarms making the manual analysis of all the amounts of triggered alerts intractable. In this paper, we first propose a Bayesian network-based model allowing to handle the reliability of IDSs when predicting severe attacks by correlating the alerts reported by the IDSs monitoring the network. Then we propose a flexible and efficient approach especially designed to limit the false alarm rates by controlling the confidence of the prediction model. Finally, we provide experimental studies carried out on a real and representative alert corpus showing significant improvements regarding the tradeoffs between the prediction rates and the corresponding false alarm ones.

Download

Paper Citation

in Harvard Style

Tabia K. and Leray P. (2010). HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 14-24. DOI: 10.5220/0002949800140024

in Bibtex Style

@conference{secrypt10,
author={Karim Tabia and Philippe Leray},
title={HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={14-24},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002949800140024},
isbn={978-989-8425-18-8},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs
SN - 978-989-8425-18-8
AU - Tabia K.
AU - Leray P.
PY - 2010
SP - 14
EP - 24
DO - 10.5220/0002949800140024