The invention relates to a method of managing alerts issued by intrusion detection sensors.
The security of information systems relies on the deployment of intrusion detection systems (IDS) including intrusion detection sensors that send alerts to alert management systems.
Intrusion detection sensors are active components of the intrusion detector system that analyze one or more sources of data for events characteristic of an intrusive activity and send alerts to an alert management system that centralizes the alerts from the various sensors and optionally analyzes all the alerts.
Intrusion detection sensors generate a very large number of alerts, possibly several thousand alerts a day, as a function of the configuration and the environment.
The surplus alerts may result from a combination of several phenomena. First of all, false alerts represent up to 90% of the total number of alerts. Secondly, it is often the case that alerts are too “granular”, i.e. that their semantic content is highly impoverished. Finally, alerts are often repetitive and redundant.
The surplus alerts therefore make it difficult for a human security operator to understand them and manipulate them.
To facilitate analysis by a security operator, it is therefore necessary to process alerts upstream of the management system.
Existing alert management systems store the alerts in a relational database management system (RDBMS). The security operator can interrogate the RDBMS by submitting to it a request relating to the properties of the alerts. The RDBMS responds by supplying to the operator all the alerts whose description matches the request.
The drawback of those systems is that many granular alerts may be supplied to the operator, which makes analyzing them a painstaking task.