Alert Prioritization and Strengthening: Towards an Industry Standard Priority Scoring System for IDS Analysts Using Open Source Tools and Models of Machine Learning

Outlet Title

South Dakota Law Review

Document Type


Publication Date



Intrusion detection systems ("IDSs") are generating volumes of alert messages around the clock leaving alert response teams with a daunting task: determining which alerts are worth investigation and which alerts are not. IDS analysts must quickly identify false positives in order to maximize the response time dedicated to concrete threats. We explore the using open dataset bootstrapping for IDS alerts. Our method requires using generically trained machine learning ("ML ") models derived from modern traffic flow data as a guide in initial IDS configuration and deployment followed by suggested periodic private retraining of these models. Our technique also suggests adoption of a baseline metric for analysts; helping rank traffic flow data by likeliness of a threat. We surveyed several datasets including the CSE-CIC-IDS2018 dataset; used for collecting baseline threat detection accuracy measurements. Some models tested including decision trees and random forests, yielded less than 2% Type 1 and Type 2 combined error. We have also published selected online samples from our tests as illustrative supplements. Our method strives is simple to implement and uses publicly available IDS and ML tools including various Python frameworks. We intend to give analysts hoping to augment their security workflows with ML, a proven and accessible workflow, and establish a standard for comparison.