An Experimental Study of Detecting and Correlating Different Intrusions

An Intrusion Detection System (IDS) has become a dominant security tool be- cause of its ability to alert the System Administrator in the case of an intrusion. How- ever, this simplicity in its functionality comes with a disadvantage. An IDS is highly sensitive and tends to report thousands of false positives (fake alerts). As a result, re- search has been initiated to develop the existing IDS by reducing the false positives and by increasing the ability to spot an actual intrusion.In this project, correlation techniques are used to reduce the false positives in an IDS. Correlation or Aggregation refers to the process of identifying similar alerts and grouping them together. The false positives are identified by several means and are separated from the real, malicious alerts. Three correlation techniques have been proposed and have been tested using the DARPA Evaluation Data Sets 1999 on SNORT IDS. These correlation techniques namely, Three-level correlation model, Correlation based on Signature and Timestamp Examination and Correlation based on ICMP Type and Code have proved to increase the final efficiency of SNORT, by reducing the false positives up to 80%.