Alert verification through alert correlation—An empirical test of SnIPS

摘要

A significant problem with today's intrusion detection systems is the high number of alerts they produce for events that are regarded as benign or noncritical by system administrators. A large number of solutions has been proposed to deal with this issue. This article tests SnIPS, a tool that correlates alerts from the intrusion detection system Snort and assigns beliefs that the host has been compromised on various occasions. The tests are performed against data collected from a cyber security exercise during which 51 compromises of monitored machines occurred. The beliefs assigned by SnIPS are not calibrated in the sense that they reflect the probability that a host has been compromised. However, a compromise is more likely when alerts have a high belief. Alerts from SnIPS with high beliefs also have better precision than the high-priority alerts from Snort, even if static network information is used to verify these alerts. However, the recall of SnIPS is lower than if high-priority alerts from Snort are used.