Which Packet Did They Catch? Associating NIDS Alerts with Their Communication Sessions

Abstract

Virtually every enterprise network has deployed intrusion detection systems (NIDSes) for security threats detection, prevention, and response. To defend against cyberattacks with increasing diversity and intensity, there is a pressing need to implement artificial intelligence (AI)-powered NIDS system which can unify the strength of existing solutions. In this paper, we explore the feasibility of leveraging existing security solutions to generate labeled datasets that can facilitate the development of such an advanced AI-powered NIDS. Assigning proper labels to communication sessions that are detected as suspicious by NIDSes are carried out in the following steps. First, from the captured packet file, we locate the communication sessions that trigger the detection rules of deployed NIDSes. Second, for each located communication session, we investigate the causal factors in the session packets and assign a unified alert-type label to it by taking account of information presented in multiple NIDS alerts associated with it. Finally, we output the packet data of the investigated communication sessions and their corresponding alert-type labels, which will be taken as input by AI-powered analysis engines. We demonstrate case studies to apply the proposed method to solve tasks such as creating labeled NIDS datasets, performance evaluation between different NIDSes, and automation of the security triage process.