A Fusion Framework of IDS Alerts and Darknet Traffic for Effective Incident Monitoring and Response

Abstract

Most organizations deploy and operate intrusion detection systems (IDSs) in order to cope with cyber attacks. However, in many cases, it is very difficult to not only analyze IDS alerts in realtime, but also identify real cyber attacks with a high detection accuracy because IDSs record the tremendous amount of alerts and most of them are false positives. Many approaches have been proposed to solve this issue, but there is a limitation in that they have focused on dealing with only IDS alerts. Therefore, in this paper, we propose a fusion framework of IDS alerts and darknet traffic, which is aiming at improving the effectiveness of the incident monitoring and response process. The experimental results show that the proposed framework could detect real cyber attacks that were not detected by IDSs and to identify more dangerous IDS alerts related to real cyber attacks.