IDS alert priority determination based on traffic behavior

Abstract

With the increase in the variety of devices connected to the Internet, each with their own vulnerabilities, we are currently observing an explosion of cyber attacks patterns. Furthermore, the overwhelming number of alerts from security sensors, such as intrusion detection systems (IDSs), makes it impossible to take appropriate countermeasures against attacks. A method to prioritize IDS alerts is therefore required for the next generation of security operation centers (SOCs). To this end, we have developed an IDS alert priority determination method that combines IDS alert information with traffic behavior and uses the difference in the distribution of traffic behavior to determine the priority of the alerts. We performed experiments with 2 million IDS alerts and 20 billion traffic flows in a real large-scale environment over two months and found that our method could identify 553 IDS alerts out of 2 million as high priority, which is a small enough number for SOC analysts to investigate them in detail.