Abstract:
Network intrusion-detection systems (NIDSs) are considered an effective second line of defense against network-based attacks directed to computer systems. Because of the increasing severity and likelihood of such attacks, the NIDSs are employed in almost all large-scale IT infrastructures. The Achille’s heel of NIDSs lies in the large number of false positives. However, today’s NIDSs often try to detect not only intrusions, but also successful intrusion attempts. This is because it can be difficult for an NIDS to determine the result of an intrusion attempt. A popular approach of verifying intrusion attempt results is to let an IDS be aware of the environment and configuration of the systems under attack. Based on the above idea, in order to eliminate the negative influence on IDS stability caused by non-relevant alerts, a network intrusion detection model is designed based on context verification. With the combination of environment context, weakness context, feedback context and anomaly context, our model constructs an effective, stable, integrated, and extendable non-relevant alerts processing platform which focuses on context verification and integrates multiple security techniques. It achieves the automatic validation of alarming and automatic judgments of their effectiveness to eliminate the non-relevant alerts, and thus it establishes the reliable foundation for alerts association.