Traditional intrusion detection systems are known for triggering large volumes of alerts. An average commercial intrusion detection system reports thousands of alerts on daily basis. A large proportion of these alerts are false alerts. In the field of alert management, alert verification is cited as critical component in determining the success of intrusions. It helps to eliminate any alert that does not have a corresponding vulnerability in a network, hence improving the effectiveness of alert management approaches. Alert verification alone cannot guarantee alerts of high quality because the validated alerts may contain massive number of redundant alerts. The analysts who review alerts are likely to take longer time to understand the complete security incident because it would involve evaluating each single redundant alert. Consequently, the analysts would not only encounter difficulties when taking the correct decision but would also take longer time to respond against the intrusions. Therefore, the unnecessary alerts diminish the value and urgency of the relevant alerts.
This paper seeks to address the aforementioned issue to strengthen the vulnerability-based alert management approaches. Our approach verifies alerts prior to merging them. Central to this approach is the use of two components: verifier and alert merger. The verifier component improves the quality of alerts by validating them with enhanced vulnerability assessment data. The alert merger component reduces huge number of redundant alerts. Experiments conducted in our test bed have demonstrated the success of our approach in reducing most of the unnecessary alerts for a range of attacks with high accuracy yet closely maintaining the detection rate. Copyright © 2012 John Wiley & Sons, Ltd.