A test of intrusion alert filtering based on network information

Sommestad, Teodor; Franke, Ulrik

doi:10.1002/sec.1173

Cited by 6 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These issues are approached from various perspectives which can be summarized into filtration [4], aggregation [5], prioritization [6] and correlation [7]. Since the correlation techniques are the most relevant for our research, we further elaborate on them in our related work.…”

Section: Introductionmentioning

confidence: 99%

Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

et al. 2022

View full text Add to dashboard Cite

Network-based monitoring and intrusion detection systems generate a high number of alerts reporting on the suspicious activity of IP addresses. The majority of alerts are dropped due to their low relevance, low priority or due to the high number of alerts itself. We assume that these alerts still contain valuable information, namely, about the coordination of IP addresses. Knowledge of the coordinated IP addresses improves situational awareness and reflects the requirement of security analysts as well as automated reasoning tools to have as much contextual information as possible to make an informed decision. To validate our assumption, we introduce a novel method to discover the groups of coordinated IP addresses that exhibit a temporal correlation of their alerts. We evaluate our method on data from a real sharing platform reporting approximately 1.5 million alerts per day. The results show that our method can indeed discover groups of truly coordinated IP addresses.

show abstract

Section: Introductionmentioning

confidence: 99%

Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

et al. 2022

View full text Add to dashboard Cite

show abstract

“…The problem with false positives is substantial. For example, Tjhai et al (2008) reported that 96% of the alerts were false positives in a test where Snort monitored a university's web server, Sommestad and Franke (2015) reported that greater than 98% of the alerts Snort produced during a cyber security exercise were false positives, and Cotroneo et al (2019) refers to analyses were 99% of the alerts are false positives. The problem of detecting attacks is also considerable and a frequent argument against signature-based NIDSs and for the use of anomaly based alternatives is that signature-based solutions are poor at detecting undisclosed (zero-day) exploits (Liao et al, 2013) (Patcha & Park, 2007) (Holm, 2014) (Khraisat et al, 2019).…”

Section: Introductionmentioning

confidence: 99%

Variables influencing the effectiveness of signature-based network intrusion detection systems

Sommestad

Holm

Steinvall

2021

Information Security Journal: A Global Perspective

Self Cite

View full text Add to dashboard Cite

Contemporary organizations often employ signature-based network intrusion detection systems to increase the security of their computer networks. The effectiveness of a signature-based system primarily depends on the quality of the rules used to associate system events to known malicious behavior. However, the variables that determine the quality of rulesets is relatively unknown. This paper empirically analyzes the detection probability in a test involving Snort for 1143 exploitation attempts and 12 Snort rulesets created by the Emerging Threats Labs and the Sourcefire Vulnerability Research Team. The default rulesets from Emerging Threats raised priority-1-alerts for 39% of the exploit attempts compared to 31% for rulesets from the Vulnerability Research Team. The following features predict detection probability: if the exploit is publicly known, if the ruleset references the exploited vulnerability, the payload, the type of software targeted, and the operating system of the targeted software. The importance of these variables depends on the ruleset used and whether default rules are used. A logistic regression model with these variables classifies 69-92% of the cases correctly for the different rulesets.

show abstract

Automation of Cybersecurity Work

Varga

Sommestad

Brynielsson

2022

Artificial Intelligence and Cybersecurity

View full text Add to dashboard Cite

This chapter examines the conditions for automation of cybersecurity work roles, and the probabilities of them being automated. Further, variables that limit the automation potential for current cybersecurity roles are reviewed. Based on a well-established and widely adopted reference resource that lists typical skill requirements and duties of cybersecurity workers, an assessment of the susceptibility for automation of cybersecurity work was performed by an expert panel. All cybersecurity work descriptions were ranked in terms of proneness for automation according to four criteria: requirements for creativity, social interaction, physical work, and the existence of relevant statistical training data. It was found that technical roles, for example database administrators and data analysts, are easiest to automate. Roles associated with management and accountability, for example, legal advisors and cyber operations planners, are more difficult to automate. Finally, requirements for physical work is a negligible factor when it comes to cybersecurity work automation.

show abstract

A test of intrusion alert filtering based on network information

Cited by 6 publications

References 16 publications

Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

Variables influencing the effectiveness of signature-based network intrusion detection systems

Automation of Cybersecurity Work

Contact Info

Product

Resources

About