Alert Prioritization in Intrusion Detection Systems Khalid Alsubhi ⋆ , Ehab Al-Shaer ⋆ ‡, and Raouf Boutaba ⋆ ( ⋆ )Davird R. Cheriton School of Computer Science, University of Waterloo, Canada ( ‡ )School of Computer Science, DePaul University, Chicago, USA email: kaalsubh@cs.uwaterloo.ca; ehab@cs.depaul.edu; rboutaba@uwaterloo.ca Abstract—Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts when- ever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS (1) . In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented. Index Terms—Alert management, alert prioritization I. I NTRODUCTION Network attacks are growing more serious, forcing system defenders to deploy appropriate security devices such as firewalls, Information Protection Systems (IPSs), and Intrusion Detection Systems (IDSs). An IDS is aimed to inspect user and/or network activity looking for suspicious behavior that they report to security analysts in the form of alerts. There are two common types of IDSs depending on the method employed for traffic inspection: signature-based and anomaly- based. A Signature-based IDS generates an alert when the traffic contains a pattern that matches signatures of malicious or suspicious activities. An anomaly-based IDS examines ongoing activity and detects attacks based on the degree of variation from normal past behavior [4]. However, both of these mechanisms suffer from the problem of generating a large number of alerts. These alerts need to be evaluated by security analysts before any further investigation in order to take appropriate actions against the attacks. IDSs usually generate a large number of alerts whenever abnormal activities are detected. Inspecting and investigating all reported alerts manually is a difficult, error-prone, and time-consuming task. In addition, ignoring alerts may result into successful attacks being missed. To tackle this problem, low-level and high-level alert evaluation operations have been introduced. Low-level alert operations deal with each alert individually to enrich its attributes or assign a score to it based on the potential risk. High-level alert management techniques, such as aggregation, clustering, correlation, and 1 This research has been supported under the Natural Science & Engineering Research Council of Canada (NSERC) grant STP-322235-05. fusion, were proposed to deal with sets of alerts and provide an abstraction of them. However, the high-level techniques suffer from including alerts that are not significant, which leads to inappropriate results. Therefore, low-level evaluation techniques are needed to automatically (or semi-automatically) examine large numbers of alerts and prioritize them, leaving only important alerts for further inspection. Accordingly, the reduced set of alerts leads to more precise high-level alert analysis. From this work, the security administrator will be provided with an effective technique to evaluate and manage alerts, thereby saving his or her time and effort. This paper describes a method for automatically evaluating IDS alerts based on metrics related to the applicability of the attack, the importance of victim, the relationship between the alert under evaluation and previous alerts, and the social activities between the attackers and the victims. These metrics are input of a Fuzzy logic system in order to investigate the seriousness of the generated alerts and assign a score to each of them. This evaluation process will prioritize alerts when presented to the security administrator for further investigation. Additionally, we propose a rescoring technique to dynamically rescore alerts based on the relationship between attacks or the degree of maliciousness of an attacker. Finally, we validate our proposal by two experiments. In the first experiment, we score alerts generated by the Snort IDS [28] using 2000 DARPA intrusion detection scenario specific datasets [15]. In the second experiment, we use the same dataset to validate our rescoring technique. The paper is organized as follows. Section II discusses related works. Section III describes our proposed alert pri- oritization system. Section IV presents the identified alert prioritization metrics. Section V explains fuzzy logic inference and its use in this work. Section VI explains the technique for alert rescoring. Simulation results are presented and discussed in Section VII. Finally, Section VIII concludes the paper. II. RELATED WORK Attacks are presented to a security administrator through alerts generated by the sensing devices, such as IDSs. It is common that an IDS generates a large number of alerts whenever the defined policies (rules) have been matched. With a large number of alerts, security administrators are overwhelmed and it becomes difficult to manually distinguish between the real attacks and the false ones. Two general 978-1-4244-2066-7/08/$25.00 ©2008 IEEE 33