Statistical Analysis of Snort Alerts |
Intrusion detection systems are used to monitor information systems, creating large number of alerts which are difficult to respond to. Many of these alerts do not present threats as they merely report the normal working condition of the system. These information systems are often used for specific tasks that are repetitive or consistent over the period of its use; hence a pattern is expected for these alerts. A single alert may have no significance by itself but can be part of a bigger threat and Analysing these alerts individually can be very tedious and time consuming. Such threats will alter the normal course of the system’s statistics. This paper focuses on the processing of high volumes of alerts generated by snort analysing the trend of the hourly alert intensities triggered at the edge of the Plymouth University network. The analysis is conducted on real world data. The goal of this analysis is to identify the true positive alerts that signify actual intrusion attempts. This paper also presents a way to share the statistic property of alerts with researchers without sharing the actual traffic source or alerts that can be mined for information about an enterprise. The research also reveals that the top 6 alerts contribute over 99.6% of the entire alerts. Security administrators and other researchers will benefit from the findings in this research paper.
Remi-Omosowon OB, Ghita BV