A comprehensive vulnerability based alert management approach for large networks

Abstract

Traditional Intrusion Detection Systems (IDSs) are known for generating large volumes of alerts despite all the progress made over the last few years. The analysis of a huge number of raw alerts from large networks is often time consuming and labour intensive because the relevant alerts are usually buried under heaps of irrelevant alerts. Vulnerability based alert management approaches have received considerable attention and appear extremely promising in improving the quality of alerts. They filter out any alert that does not have a corresponding vulnerability hence enabling the analysts to focus on the important alerts. However, the existing vulnerability based approaches are still at the preliminary stage and there are some research gaps that need to be addressed. The act of validating alerts may not guarantee alerts of high quality because the validated alerts may contain huge volumes of redundant and isolated alerts. The validated alerts too lack additional information needed to enhance their meaning and semantic. In addition, the use of outdated vulnerability data may lead to poor alert verification. In this paper, we propose a fast and efficient vulnerability based approach that addresses the above issues. The proposed approach combines several known techniques in a comprehensive alert management framework in order to offer a novel solution. Our approach is effective and yields superior results in terms of improving the quality of alerts.