Technical note | Text Classification of Network Intrusion Alerts to Enhance Cyber Situation Awareness and Automate Alert Triage

Abstract

For many Cyber Security Incident Response Teams (CSIRT), reacting and responding to suspicious network activity is predominantly a manual task and lacks the necessary levels of automation required to deal with the volume of alerts. Alerts are signalled from tools such as Intrusion Detection Systems (IDS) to skilled analysts who must then decide on courses of action and remediation activities. The IDS alerts are basic; analysts must manually derive context about the alert using their prior knowledge.

In this paper, we describe Artificial Intelligence (AI) techniques used to automate the derivation of context from IDS alerts. We propose two algorithms based on well-known automated text classification methods and define a multi-level taxonomy to describe classifications of alerts in a semantically hierarchical manner. Consideration is given to the use of these algorithms by a CSIRT, as well as how Situation Awareness (SA) can be improved through automation. Our findings show that a combination of Naïve Bayes algorithms in conjunction with our proposed hierarchical taxonomy can automate alert classification with high accuracy, and low false and unclassified rates.

Executive Summary

Organisations are faced with the continual threat of intrusion and infection of their mission critical networks. With networks becoming more complex, detecting suspicious activity has become challenging. Maintaining an awareness of one’s own networks and their activities has therefore become of paramount importance.

Network intrusion detection systems (NIDS) are one set of tools available to organisations to detect suspicious activity. NIDS detect suspicious activity and flag it to analysts through alerts. Skilled network security analysts must determine the context of each alert using their prior knowledge and experience. This process is difficult to automate due to a lack of algorithms that can understand the alert context, resulting in the current manually intensive nature of triage.

Algorithms that derive context from NIDS alerts are described within this paper. These algorithms are based on well-known text classification algorithms such as Naïve Bayes. NIDS alerts are classified by these algorithms against a proposed hierarchical taxonomy of suspicious activity, defined in this paper. This taxonomy enables further automation of network security processes.

Our algorithms were compared against existing text classification algorithms. We determined that our proposed combination of Naïve Bayes algorithms is highly effective at classifying alerts accurately, and therefore suitable for Computer Security Incident Response Teams (CSIRT) use.