Detektering av IT-attacker - Intrångsdetekteringssystem och systemadministratörens roll

Intrusion detection systems monitor computer systems in order to detect attacks performed against them. In operational installations they typically produce alarms for suspicions events, and a system administrator inspects these alarms to obtain situational awareness concerning immediate threats and ongoing attacks. An issue with contemporary intrusion detection systems is the large amount of false alarms they produce. Experiences from practical applications of intrusion detection systems point to the important role that the system administrator plays. The experience is that the administrator is needed to filter the alarm-list by correlating alarms and interpret them with the help of his/her expert judgment. This report describes an experiment performed in 2011 with the purposes to (1) investigate the detection rate of "state-of-practice" solutions, and (2) to analyze the role of the system administrator in the detection process. The experiment confirms earlier results in the field concerning a high percentage of false alarms. The experiment also shows that the percentage of false alarms can be decreased without a great impact on the detection rate if the alarm-list is filtered using expertise concerning: the attacked computer network, computer networks in general, attacks in general, and expertise concerning the existing threat environment.