A method and a system for classification of intrusion alerts in computer network is provided. The method comprises the steps of monitoring traffic data in a computer network, detecting an intrusion, providing an intrusion alert and data in relation to the intrusion alert, generating a statistical analysis of the data in relation to the intrusion alert and classifying the intrusion alert based on said statistical analysis. The intrusion alerts and the data in relation to an intrusion alert may be generated by anomaly-based intrusion detection system. The generating a statistical analysis may comprise generating information about a statistical distribution of n-grams in the data. The classification may comprise comparing the statistical analysis with a model analysis of intrusion alerts with predefined alert classes. This model may be generated by providing a training set of data in relation to alerts, generating a model statistical analysis of said data, predefining at least two alert classes, and assigning predefined alert classes to the statistical analysis, based on information provided by a signature-based intrusion detection system, or by a human operator.
|Published - 7 Oct 2010