Network IDS alert classification with active learning techniques

A Network Intrusion Detection System (NIDS) is a widely used security monitoring technology for detecting attacks against network services, beaconing activity of infected end user nodes, malware propagation, and other types of malicious network traffic. Unfortunately, NIDS technologies are known to generate a large number of alerts, with a significant proportion of them having low importance. During the last two decades, many machine learning and data mining based approaches have been proposed for highlighting high-importance alerts that require human attention. However, NIDS alert classification systems based on active learning have received marginal attention in the specialized research literature. This neglects the potential benefits of active learning which involves a human expert in the machine learning model life cycle. The current paper fills this research gap and studies the use of active learning techniques for NIDS alert classification.