An Effecient Method for Evaluating Alerts of Intrusion Detection Systems

With thousands of alerts identified by IDSs every day, the process of distinguishing which alerts are important (i.e., true positives) and which are is irrelevant (i.e., false positives) is become more complicated. The security administrator must analyze each single alert either a true of false alert. This paper proposes an alert prioritization model, which is based on risk assessment. The model uses indicators, such as priority, reliability, asset value, as decision factors to calculate alert's risk. The objective is to determine the impact of certain alerts generated by IDS on the security status of an information system, also improve the detection of intrusions using snort by classifying the most critical alerts by their levels of risk, thus, only the alerts that presents a real threat will be displayed to the security administrator, so, we reduce the number of false positives, also we minimize the analysis time of the alerts. The model was evaluated using KDD Cup 99 Dataset as test environment and a pattern matching algorithm.