GSAL ::
Projects ::
False Alarm Reduction
It is a well-known problem that intrusion detection systems (IDSs)
overload their human operators by triggering thousands of alarms per
day. Tuning IDSs manually is a tedious process which is environment
dependent and needs to be redone from time to time. To mitigate this
problem, we have developped a novel data mining technique that
compresses huge alarm logs into short and highly comprehensible
summaries. Using these summaries, it is a matter of a few hours to
understand the alarm root causes and to derive a smarter way of
handling the alarms in the future. For example, using our data mining
technique, we discovered in one case a misconfigured secondary DNS
server that did half-hourly DNS zone transfers from its primary
server. The deployed IDS triggered "DNS Zone Transfer" alarms, because
DNS zone transfers have been used to "spy out" target networks. In
this case, the misconfiguration is the root cause and fixing it
clearly eliminates the associated alarms. In other cases, we acted
upon the discovered root causes by reconfiguring a firewall or by
writing custom-made filtering rules that discard false positives. In
all these cases, the insights gained from the our data mining
technique were of great help for handling future alarms more
efficiently. For more information on this project, please refer to
our list of publications.
