Machine Learning for IDS Alert Classification: A Recurrent Neural Network Approach

Abstract

Intrusion detection systems (IDSs) are one of the most commonly used systems to detect cyber attacks in a network. One major problem of IDSs is the number of false positive (FP) alerts they generate. In recent decades, many researchers have created systems to reduce this number. However, most systems base their evaluation only on one dataset, which means that the suggested solution may not work for other network setups. Publicly available datasets for IDS alert reduction are rare in literature due to the technical knowledge required to create them. Additionally, most related works in this field are several years old and do not use currently available technology to solve problems. In this thesis, we present a proof of concept (PoC) that uses a combination of manual analysis, a modern recurrent neural network (RNN), and a simple alert correlation to reduce false positive alerts from an IDS. To evaluate our work, we created labeled datasets of IDS alerts from publicly available network traffic. Overall, our approach was able to reduce at least 99.35% of all alerts. Furthermore, we achieved low false negative (FN) rates with our approach.