Guidelines/Recommendations on Best Practices in Fine Tuning IDS Alarms |
This paper presents guidelines/recommendations on best practices in fine tuning IDS alarms based on experiment conducted using the network based intrusion detection system Snort and MIT 1999 DARPA dataset. Snort generated about seventy seven percent false alerts. Experiment used fine tuning techniques namely: thresholding, rule customisation, rule disablement and combination of mentioned techniques, in order to achieve reduction in false alerts with minimal chances of missing true attacks. Evaluation of the tuning techniques led to the following guidelines put forward by this study: customised rule should be designed with context keyword which remains constant, threshold time periods should be set based on approximate time interval between successive alert instances, the limit threshold type is better suited to detect probe attack involving clear and stealth versions, technique combination improves attack detection rate with highly reduced false alarm instances.
Obi CA, Papadaki M