Handling Alerts for Intrusion Detection System Using Stateful Pattern Matching

Over the years, network intrusion detection systems have evolved to handle varying types of threats. These days, network managers expect network intrusion detection systems (IDS) to detect attacks and include anomaly-awareness, in addition to handling older threats that haven't disappeared. Researchers have proposed different methods and algorithms to improve intrusion detection systems (IDS). There are different types of these systems, most of them are capable of detecting many attacks, but cannot provide a clear idea to the analyst because of the huge number of the false alerts generated by these systems. This weakness has led to the emergence of many methods in which to deal with these alerts. The aim of conducted research in this field is to propose a new technique to handle the alerts, to reduce them and distinguish real attacks from false alerts and low importance events. In this paper a new alert classification algorithm for IDS proposed, that uses the Pattern Matching. The proposed algorithm reduces alerts and distinguishes serious alerts, low importance and irrelevant one with a high performance. By the experimental results on DARPA KDD cup 99 Dataset the system is able to classify alerts and causes reducing false alerts considerably.