Minimizing the rate of false positives in Intrusion Detection Systems by considering the context changes

Abstract

Intrusion detection system is a well known security tool, used by companies to protect their resources and the services they provid from the massive amout of computer threats these companies are a potential targets for. In this thesis we try to shed some light on the importance, advantages and disadvantages of IDSs then we will focus on one of these diadvantages which is the rate of false positive alerts in an IDS. We chose to work with an open sorce IDS called snort. The approach we are taking in order to minimize the rate of false positives is to consider the cotext changes on the protected network like trusted devices inside the network, network packet timing, which device initiated the comunication..etc. We desinged our filtering software that takes said context changes inside the network we layed out as a test bed into consideration. We used wireshark to capture network packets and passed them to snort to detect any intrusion that may have happened. Snort then outputs log files containing alerts about any suspicious packets, we then input these files into our software which analyses the IDS logs in order to filter the false alerts. We intentionally attacked our network through a known vulnerability to ensure that some of the packets were malicious and to test that our software does not filter the alerts generated by the IDS conserning the packets related to this attack. we found segnificant diffrence in the number of alerts before and after filtering. The process and results are all mentioned and detailed in the core of this thesis. Keywords IDS, Snort, Network packets, Alert, Context, False positive, Filter, Intrusion, Detection, Attack, Threat.