Machine Learning for IDS Alert Classification: A Recurrent Neural Network Approach
No Thumbnail Available
Perustieteiden korkeakoulu | Master's thesis
Security and Cloud Computing
Master’s Programme in Security and Cloud Computing (SECCLO)
AbstractIntrusion detection systems (IDSs) are one of the most commonly used systems to detect cyber attacks in a network. One major problem of IDSs is the number of false positive (FP) alerts they generate. In recent decades, many researchers have created systems to reduce this number. However, most systems base their evaluation only on one dataset, which means that the suggested solution may not work for other network setups. Publicly available datasets for IDS alert reduction are rare in literature due to the technical knowledge required to create them. Additionally, most related works in this field are several years old and do not use currently available technology to solve problems. In this thesis, we present a proof of concept (PoC) that uses a combination of manual analysis, a modern recurrent neural network (RNN), and a simple alert correlation to reduce false positive alerts from an IDS. To evaluate our work, we created labeled datasets of IDS alerts from publicly available network traffic. Overall, our approach was able to reduce at least 99.35% of all alerts. Furthermore, we achieved low false negative (FN) rates with our approach.
Thesis advisorAura, Tuomas
cyber security, intrusion detection system (IDS), recurrent neural network (RNN), long short-term memory (LSTM), machine learning (ML), Suricata