CISR - Lecturer Archive

Dr. Mark Heckman

Reducing IDS False Positives by Clustering Related Alerts
Sp-117,1400-1450, 21 July 2003
Download Powerpoint Presentation

Most Intrusion Detection Systems (IDSs) generate a large number of false positives - alarms when there are no attacks. System administrators and security analysts struggle and often fail to keep up with the flood of alerts, which increases the odds that a successful attack will be missed. The most common technique for reducing false positives is to shut off the alerts that cause the most false positives. This approach has the obvious problem that true positives will be lost along with the false positives. A better way to separate the wheat from the chaff is to cluster "related" alerts Ð alerts that identify parts of the same attack. The underlying theory here is that false positives will be either random or endlessly repetitive, but the alerts for a real attack will represent purposeful behavior, i.e., will cluster. Alerts that are part of clusters, therefore, are more likely to be true positives. This naturally leads to the question, "But how do you identify related alerts?" In this talk, I will discuss one method for clustering alerts - requires/ provides predicates - that is currently being implemented in a system scheduled for deployment with the Navy in 2003/2004.

About Dr. Mark Heckman
Dr. Heckman is a Senior Research Analyst for Promia, Inc., where he develops advanced intrusion detection techniques for the Promia Intelligent Agent Security Module (IASM) - a security information analysis and management system.

Prior to joining Promia, Dr. Heckman worked as a computer security consultant for Bloomberg, L.P. and as a lecturer/researcher in the Computer Security Laboratory at U.C. Davis, conducting research in intrusion detection, intrusion tolerance, provably secure systems, and other aspects of computer security. He began his career in computer security at Gemini Computers, Inc., in Monterey, where he conducted research on secure databases as part of the SeaView project and designed components of the Gemini Multiprocessing and Multilevel Secure Operating System A1 Trusted Computing Base.

Dr. Heckman holds a Bachelor's degree in Computer Engineering from the UC San Diego and Master's and Ph. D. degrees in Computer Science from the UC Davis.