Improving Intrusion Detection Through Alert Verification
Source: Katholieke Universiteit Leuven
Intrusion Detection Systems (IDS) suffer from a lack of scalability. Alert correlation has been introduced to address this challenge and is generally considered to be the major part of the solution. One of the steps in the correlation process is the verification of alerts. The paper has identified the relationships and interactions between correlation and verification. An overview of verification tests proposed in literature is presented and refined. The contribution is to integrate these tests in an extensible generic framework for verification that enables further experimentation. A proof-of-concept implementation is presented and a first evaluation is made. The paper concludes that verification is a viable extension to the intrusion detection process.