1Department of Computer Science and Biomedical Informatics, University of Central Greece, 2-4 Papasiopoulou St., Lamia, GR-35100, Greece, e-mail: gspathoulas@ucg.gr 2Department of Digital Systems, School of Information and Communication, University of Piraeus, 150 Androutsou St., Piraeus, GR-18532, Greece, e-mail: gspathoulas@unipi.gr 3Department of Digital Systems, School of Information and Communication, University of Piraeus
Volume: 2 Issue: 2, 64 - 80, 28.06.2013
Georgios Spathoulas
Sokratis Katsikas
Methods for post-processing of alerts in intrusion detection: A survey
Intrusion detection is an important protection tool for computer systems and networks. In recent years it has become an essential piece in the IT security infrastructure of large organizations. Even though intrusion detection systems are installed in an increasing rate, they are often misused as the quality of alerts they produce is not satisfactory. High alert volume, high false positives rate and low level of information are the main reasons that security analysts cannot take full advantage of intrusion detection alert-sets. The aim of this survey is to summarize intrusion detection alerts' post-processing research, which is categorized in false positives reduction, alerts' correlation and visualisation. The most important efforts in the field are analyzed, while all recent methods are presented. Finally the present and the future of alerts post-processing research field is discussed.
