Identifying Truly Suspicious Events and False Alarms Based on Alert Graph

As a cyber security protection technology, Intrusion Detection System (IDS), through real-time monitoring, issues alerts when detecting malicious events. It is one of the most widely used network security products, yet still has high false positive rates. False positive alerts will not only waste a lot of resources and time to process, but also have bad effects on the correlation analysis and attack path detection. Therefore, reducing the false positives rate is one of the important means to improve the performance of IDS. In this paper, we propose an effective model for false positives identification using gradient boosting tree models based on the analysis of security features of the IDS alerts. Firstly, we analyze alarms from aggregation and correlation by constructing a correlated alert graph based on IP addresses. Secondly, we design a novel bidirectional recursive feature elimination method combining with random forest for feature selection. Finally, the ensemble methods are employed from boosting tree models in our approach for better improvement.