An Intrusion Detection System (IDS) is one of the security tools that can automatically analyze network traffic and detect suspicious activities. They are widely implemented as security guarantee tools in various business networks. However, the high rate of false-positive alerts creates an overwhelming number of unnecessary alerts for security analysts to sift through. The esNetwork is an IDS product by eSentire Inc. This project focuses on reducing the false-positive alerts generated by esNetwork with the help of a Random Forest (RF) classifier. The RF model was built to classify the alerts as high and low and only pass high likelihood alerts to the analysts. As a result of evaluation experiments, this model can achieve an accuracy of 97% for training validation, 88% for testing with the recent data, and 58% with Security Operation Centre (SOC) reviewed events. The evaluation result of the proposed model is intermediate because of the deficiency of clearly labeled data for training as well as the SOC-reviewed events for evaluation. The model still needs time to be fine-tuned to meet the industry deployment requirement.
View on arXiv