Statistical Decision Modeling for IDS Alert Analysis

In large-scale network, IDS can produce a large number of alerts. Nowadays there isn't an effective method to differentiate true alerts from false alerts. Confronted with this problem, we build a model for IDS alert analysis based on statistical decision. Through theoretical analysis, we find the optimal strategy: deleting alerts when FPP( False Positive Probability) exceeds some threshold, or sampling for checkup. What s more, we can work out FPP threshold and sample numbers. Theoretical analysis also finds that under some conditions the cost for alert checkup increases with FPP increasing. Together with them we construct FPP information network based on Bayes network to reduce checkup losses. Experiments demonstrate that some conclusions agree with our experience.