Title: Analysis of IDS alerts by generalising features and discovering emerging patterns

Authors: Mahdi Maleki; Seyed Mansour Shahidi

Addresses: Faculty of Computer Engineering, Ayatollah Boroujerdi University, Boroujerd, Iran ' Faculty of Computer Engineering, Ayatollah Boroujerdi University, Boroujerd, Iran

Abstract: One of the significant problems in using intrusion detection systems is the high volume of low-level alerts. In this paper, an appropriate analysis of cyber alerts has been used to reduce low-level alerts utilising a range of available features of attacks. It has also benefited from the discovery of emerging patterns to improve situational awareness in cyber-attacks. Moving to different levels of generalisation and extraction of rules; based on attribute-oriented induction and emerging patterns is a remarkable achievement of this. To evaluate the proposed method, a new CICIDS2017 database is used to eliminate the defects of the previous datasets. The results show a decrease in alerts at the rate of 99% at the lowest generalisation level and an average of 25% at other generalisation levels. In addition to normal traffic, 14 different types of attacks have been identified. The DoS Hulk attack has the highest frequency with 8.16%, and the heartbleed attack having the lowest frequency with 0.0004% frequency. On average, 18 overlap (TO-EP) pattern, 63 relatively subsumption-overlap patterns (SO-EP) and 92 similar (SIM-EP) patterns have been extracted at four generalisation levels.

Keywords: intrusion detection system; feature generalisation; multi-dimensional data mining; online analytical processing; OLAP; multistage attacks.

DOI: 10.1504/IJRIS.2022.123387

International Journal of Reasoning-based Intelligent Systems, 2022 Vol.14 No.1, pp.56 - 65

Received: 23 Dec 2020
Accepted: 28 Jul 2021

Published online: 13 Jun 2022 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article