Refining Network Intrusion Alerts with Multi-Sensor Fusion
Master thesis
Permanent lenke
http://hdl.handle.net/11250/2568328Utgivelsesdato
2018Metadata
Vis full innførselSamlinger
Sammendrag
Modern CERTs are heavily reliant on Network Security Monitoring (NSM) in order to defend their networks from intrusions. As attacks increase in frequency and complexity, the human resources to deal with them become constrained. A particular issue is thatNetwork Intrusion Detection Systems (NIDS) tend to produce a huge number of false positive alerts. This is in part due to the very low base rate of intrusions compared to normal traffic, leading to a base rate fallacy when classifying traffic. Experienced incident handlers use their human intuition to filter out such alerts, often looking at other sensor data to inform their situational assessment. This thesis tries to capture this intuition by applying the conceptual model of Multi-Sensor Data Fusion (MSDF), allowing for the automatic refinement of alert lists and the removal of false positive alerts, as well as potentially the detection of more sophisticated attacks. Its contribution is two-fold: First, a simple test-bed using virtual machines and NSM sensors is constructed to acquire NSM sensor data from simulated users and an attacker. Then, a graph-based feature extraction approach (RolX) and binary classifiers are applied to perform anomaly detection using data from NSM sensors. We show that, given data generated by our test-bed, commonly available binary classifiers like Artifical Neural Networks, RandomForest and State Vector Machines perform well and are able to filter out respectively 93 %, 97 % and 94 % of false positives. Future work is also suggested to investigate and improve the applicability of these methods to more complex scenarios.