Abstract
This paper presents an alert correlation system for mitigating the false positives problem on network-based intrusion detection, when anomalous detection techniques are applied. The system allows the quantitative assessment of the likelihood that an alert issued because an anomaly becomes a real threat. To do this the differences between the characteristics of the model representing the habitual and legitimate network usage are taken into account, as well as the most representative features of the traffic that generated the alert. The result is a quantitative assessment of its similarity to the network legitimate usage, and the prioritization of the issued alerts. Experiments have demonstrated the validity of the proposal. The 95.7% of the false positives were labeled as low priority treatment alerts, and the various real threats were properly identified.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
