چکیده (انگلیسی):

The Intrusion Detection System (IDS) generates huge amounts of alerts that are mostly false positives. The
abundance of false positive alerts makes it difficult for the security analyst to identify successful attacks and
to take remedial actions. Such alerts to have not been classified in accordance with their degree of threats.
They further need to be processed to ascertain the most serious alerts and the time of the reaction response.
They may take a long time and considerable space to discuss thoroughly. Each IDS generates a huge
amount of alerts where most of them are real while the others are not (i.e., false alert) or are redundant
alerts. The false alerts create a serious problem for intrusion detection systems. Alerts are defined based on
source/destination IP and source/destination ports. However, one cannot know which of those IP/ports bring
a threat to the network. The IDSs’ alerts are not classified depending on their degree of the threat. It is
difficult for the security analyst to identify attacks and take remedial action for this threat. So it is necessary
to assist in categorizing the degree of the threat, by using data mining techniques. The proposed framework
for proposal is IDS Alert Reduction and Assessment Based on Data Mining (ARADMF). The proposed
framework contains three systems: Traffic data retrieval and collection mechanism system, reduction IDS
alert processes system and threat score process of IDS alert system. The traffic data retrieval and collection
mechanism systems develops a mechanism to save IDS alerts, extract the standard features as intrusion
detection message exchange format and save them in DB file (CSV-type). It contains the Intrusion
Detection Message Exchange Format (IDMEF) which works as procurement alerts and field reduction is
used as data standardization to make the format of alert as standard as possible. As for Feature Extraction
(FE) system, it is designed to extract the features of alert by using a gain information algorithm, which gives
a rank for every feature to facilitate the selection of the feature with the highest rank. The main function of
reduction IDS alert processes system is to remove duplicate IDS alerts and reduces the amount of false
alerts based on a new aggregation algorithm. It consists of three phases. The first phase removes redundant
alerts. The second phase reduces false alerts based on threshold time value and the last phase reduces false
alerts based on rules with a threshold common vulnerabilities and exposure value. Threat score process of
IDS alert system is characterized by using a proposed adaptive Apriori algorithm, which has been modified
to work with multi features, i.e., items and automated classification of alerts according to their threat's
scores. The expected result of his proposed will be decreasing the number of false positive alert with rate
expected 90% and increasing the level of accuracy compared with other approaches. The reasons behind
using ARADMF are to reduce the false IDS alerts and to assess them to examine the threat score of IDS
alert, that is will be effort to increase the efficiency and accuracy of network security.