Automated False Positive Filtering for esNetwork Alerts
Guangyi Zhu (School of Computer Science, University of Guelph,, Ontario, Canada)
TL;DR
This paper presents a machine learning approach using a Random Forest classifier to effectively filter false positive alerts in an IDS, significantly reducing analyst workload.
Contribution
It introduces a novel application of RF classification to improve false positive filtering in esNetwork IDS, with promising accuracy results.
Findings
97% accuracy on training validation
88% accuracy on recent test data
58% accuracy on SOC-reviewed events
Abstract
An Intrusion Detection System (IDS) is one of the security tools that can automatically analyze network traffic and detect suspicious activities. They are widely implemented as security guarantee tools in various business networks. However, the high rate of false-positive alerts creates an overwhelming number of unnecessary alerts for security analysts to sift through. The esNetwork is an IDS product by eSentire Inc. This project focuses on reducing the false-positive alerts generated by esNetwork with the help of a Random Forest (RF) classifier. The RF model was built to classify the alerts as high and low and only pass high likelihood alerts to the analysts. As a result of evaluation experiments, this model can achieve an accuracy of 97% for training validation, 88% for testing with the recent data, and 58% with Security Operation Centre (SOC) reviewed events. The evaluation result of…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Anomaly Detection Techniques and Applications · Advanced Malware Detection Techniques