An Intrusion Detection System (IDS) is one of the security tools that can automatically analyze network traffic and detect suspicious activities. They are widely implemented as security guarantee tools in various business networks. However, the high rate of false-positive alerts creates an overwhelming number of unnecessary alerts for security analysts to sift through. The esNetwork is an IDS product by eSentire Inc. This project focuses on reducing the false-positive alerts generated by esNetwork with the help of a Random Forest (RF) classifier. The RF model was built to classify the alerts as high and low and only pass high likelihood alerts to the analysts. As a result of evaluation experiments, this model can achieve an accuracy of 97% for training validation, 88% for testing with the recent data, and 58% with Security Operation Centre (SOC) reviewed events. The evaluation result of the proposed model is intermediate because of the deficiency of clearly labeled data for training as well as the SOC-reviewed events for evaluation. The model still needs time to be fine-tuned to meet the industry deployment requirement.
翻译:入侵探测系统(IDS)是能够自动分析网络交通和发现可疑活动的安全工具之一,被广泛用作各种商业网络的安保保障工具;然而,高率的假阳性警报为安全分析员筛选造成大量不必要的警报。EsNetwork是eSentire Inc公司开发的IDS产品。该项目的重点是减少EsNetwork在随机森林分类员的帮助下产生的假警报。RF模型的建立是为了将警报分类为高低和仅通过对分析员的高风险警报。作为评价实验的结果,这一模型可以达到97%的准确度,88%的精确度用于培训验证,88%用于测试,58%用于与安全行动中心(SOC)审查的事件。拟议模型的评价结果是中间的,因为缺乏明确标签的培训数据以及SOC经审查的事件。模型仍然需要时间加以调整,以满足工业部署的要求。
相关内容
微信扫码咨询专知VIP会员