Reducing False Positives in Intrusion Detection System Alerts: A Novel Aggregation and Correlation Model

Network security involves safeguarding and preventing unauthorized access to networks through various methodologies, including access control, firewalls, and intrusion detection and prevention systems (IDS/IPS). Despite the escalating frequency of network attacks, traditional tools like antivirus software and firewalls often fall short. In contrast, IDS/IPS solutions are increasingly favored for robust network protection due to their effectiveness. However, the integration of machine learning and signature-based approaches has led to a significant increase in false positives, making the manual analysis and identification of genuine alerts labor-intensive. Additionally, conventional processes may impede IDS performance, even with the use of alert aggregation and correlation techniques that aim to efficiently eliminate redundant or duplicate alerts. This work introduces a model for alert aggregation and correlation based on similarity-based correlation to mitigate anomaly-based alerts, employing a Security Event Correlator (SEC). Initially, an Anomaly Detection System (ADS), akin to IDS, is deployed. The alerts generated by the ADS serve as inputs for the proposed SEC, which preprocesses the alerts to systematically remove redundancies and duplicates. Aggregation is then executed based on extracted features, followed by correlation to prioritize the remaining alerts by considering their frequency and features. The proposed model has successfully achieved a remarkable 99.0% accuracy rate in removing redundant and duplicate alerts.