Network IDS alert classification with active learning techniques

Risto Vaarandi; Alejandro Guerra-Manzanares

doi:10.1016/j.jisa.2023.103687

Network IDS alert classification with active learning techniques

Risto Vaarandi, Alejandro Guerra-Manzanares

Research output: Journal Publication › Article › peer-review

Abstract

A Network Intrusion Detection System (NIDS) is a widely used security monitoring technology for detecting attacks against network services, beaconing activity of infected end user nodes, malware propagation, and other types of malicious network traffic. Unfortunately, NIDS technologies are known to generate a large number of alerts, with a significant proportion of them having low importance. During the last two decades, many machine learning and data mining based approaches have been proposed for highlighting high-importance alerts that require human attention. However, NIDS alert classification systems based on active learning have received marginal attention in the specialized research literature. This neglects the potential benefits of active learning which involves a human expert in the machine learning model life cycle. The current paper fills this research gap and studies the use of active learning techniques for NIDS alert classification.

Original language	English
Article number	103687
Journal	Journal of Information Security and Applications
Volume	81
DOIs	https://doi.org/10.1016/j.jisa.2023.103687
Publication status	Published - Mar 2024
Externally published	Yes

Keywords

Active learning
Machine learning
Network security
NIDS alert classification
Security alert prioritization

ASJC Scopus subject areas

Software
Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1016/j.jisa.2023.103687

Cite this

@article{869f584185ce4f31a7387c384defbcdb,

title = "Network IDS alert classification with active learning techniques",

abstract = "A Network Intrusion Detection System (NIDS) is a widely used security monitoring technology for detecting attacks against network services, beaconing activity of infected end user nodes, malware propagation, and other types of malicious network traffic. Unfortunately, NIDS technologies are known to generate a large number of alerts, with a significant proportion of them having low importance. During the last two decades, many machine learning and data mining based approaches have been proposed for highlighting high-importance alerts that require human attention. However, NIDS alert classification systems based on active learning have received marginal attention in the specialized research literature. This neglects the potential benefits of active learning which involves a human expert in the machine learning model life cycle. The current paper fills this research gap and studies the use of active learning techniques for NIDS alert classification.",

keywords = "Active learning, Machine learning, Network security, NIDS alert classification, Security alert prioritization",

author = "Risto Vaarandi and Alejandro Guerra-Manzanares",

note = "Publisher Copyright: {\textcopyright} 2023",

year = "2024",

month = mar,

doi = "10.1016/j.jisa.2023.103687",

language = "English",

volume = "81",

journal = "Journal of Information Security and Applications",

issn = "2214-2134",

publisher = "Elsevier Ltd.",

}

TY - JOUR

T1 - Network IDS alert classification with active learning techniques

AU - Vaarandi, Risto

AU - Guerra-Manzanares, Alejandro

PY - 2024/3

Y1 - 2024/3

N2 - A Network Intrusion Detection System (NIDS) is a widely used security monitoring technology for detecting attacks against network services, beaconing activity of infected end user nodes, malware propagation, and other types of malicious network traffic. Unfortunately, NIDS technologies are known to generate a large number of alerts, with a significant proportion of them having low importance. During the last two decades, many machine learning and data mining based approaches have been proposed for highlighting high-importance alerts that require human attention. However, NIDS alert classification systems based on active learning have received marginal attention in the specialized research literature. This neglects the potential benefits of active learning which involves a human expert in the machine learning model life cycle. The current paper fills this research gap and studies the use of active learning techniques for NIDS alert classification.

AB - A Network Intrusion Detection System (NIDS) is a widely used security monitoring technology for detecting attacks against network services, beaconing activity of infected end user nodes, malware propagation, and other types of malicious network traffic. Unfortunately, NIDS technologies are known to generate a large number of alerts, with a significant proportion of them having low importance. During the last two decades, many machine learning and data mining based approaches have been proposed for highlighting high-importance alerts that require human attention. However, NIDS alert classification systems based on active learning have received marginal attention in the specialized research literature. This neglects the potential benefits of active learning which involves a human expert in the machine learning model life cycle. The current paper fills this research gap and studies the use of active learning techniques for NIDS alert classification.

KW - Active learning

KW - Machine learning

KW - Network security

KW - NIDS alert classification

KW - Security alert prioritization

UR - http://www.scopus.com/inward/record.url?scp=85183778877&partnerID=8YFLogxK

U2 - 10.1016/j.jisa.2023.103687

DO - 10.1016/j.jisa.2023.103687

M3 - Article

AN - SCOPUS:85183778877

SN - 2214-2134

VL - 81

JO - Journal of Information Security and Applications

JF - Journal of Information Security and Applications

M1 - 103687

ER -

Network IDS alert classification with active learning techniques

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this