Alert Management and Anomaly Prevention Techniques

Abstract

As an ANIDS (anomaly-based network intrusion detection system) or IDS (intru- sion detection system) monitors network-wide traffic, it generates warning messages (i.e., alerts) that indicate attack or suspicious or legitimate events. Due to widespread deployment of IDSs, they may generate an overwhelming number of alerts with true alerts mixed with false alerts. So, management of such alerts is indeed necessary to get to the origin of an attack, so that survival measures may be taken at the earliest. This chapter focuses on alert management and network anomaly prevention techniques. Alert management contains several components, viz., alert clustering, alert merging, alert frequency, alert link, alert association, intention recognition, and alert correlation. However, network traffic anomaly prevention techniques include basic concepts of ANIPS (anomaly-based network intrusion prevention system), attack coverage, features of ANIPS, and selection of the right ANIPS for deployment. Finally, the chapter presents the pros and cons of both alert management and anomaly-based network intrusion prevention techniques.