Machine Learning for IDS Alert Classification: A Recurrent Neural Network Approach

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2020-08-18
Department
Major/Subject
Security and Cloud Computing
Mcode
SCI3084
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Language
en
Pages
70
Series
Abstract
Intrusion detection systems (IDSs) are one of the most commonly used systems to detect cyber attacks in a network. One major problem of IDSs is the number of false positive (FP) alerts they generate. In recent decades, many researchers have created systems to reduce this number. However, most systems base their evaluation only on one dataset, which means that the suggested solution may not work for other network setups. Publicly available datasets for IDS alert reduction are rare in literature due to the technical knowledge required to create them. Additionally, most related works in this field are several years old and do not use currently available technology to solve problems. In this thesis, we present a proof of concept (PoC) that uses a combination of manual analysis, a modern recurrent neural network (RNN), and a simple alert correlation to reduce false positive alerts from an IDS. To evaluate our work, we created labeled datasets of IDS alerts from publicly available network traffic. Overall, our approach was able to reduce at least 99.35% of all alerts. Furthermore, we achieved low false negative (FN) rates with our approach.
Description
Supervisor
Meng, Weizhi
Thesis advisor
Aura, Tuomas
Keywords
cyber security, intrusion detection system (IDS), recurrent neural network (RNN), long short-term memory (LSTM), machine learning (ML), Suricata
Other note
Citation