EP1820170B1 - Suppression of false alarms among alarms produced in a monitored information system - Google Patents

Abstract

A method of suppressing false alarms produced in a monitored information system ( 1 ). The alarms are classified automatically by means of a false alarm suppression module ( 17 ) into two categories consisting of false alarms and true alarms depending on particular criteria based on progressive training of said module ( 17 ) based on the expertise of a human operator ( 23 ) responsible for initial manual classification of alarms.

Description

Background of the invention

A system and method for suppressing false alerts among alerts produced in a monitored information system.

The security of information systems requires the deployment of intrusion detection systems. These intrusion detection systems are located upstream of intrusion prevention systems. They detect activities that go against the security policy of an information system.

Intrusion detection systems include "SDI" intrusion detection probes that issue alerts to "SGA" alert management systems.

Indeed, intrusion detection probes are active components of the intrusion detection system that analyze one or more data sources looking for events that are characteristic of intrusive activity and issue alerts to management systems. alert. An SGA alert management system centralizes the alerts from the probes and optionally performs an analysis of all these alerts.

The SGAs consist of several "MTA" alert processing modules, responsible for processing alerts downstream of their production by SDI. MTAs themselves produce higher level alerts translating their processing on alerts.

Once processed by the SGA modules, the alerts are presented to an information system security operator in a "CPA" alert presentation console.

Among the MTAs, it is possible to distinguish the "MSFA" false-alarm suppression modules, which are responsible for identifying the alerts that are "false positive" false alerts, ie the alerts that are produced by the SDIs then no intrusive activity took place. Conversely, alerts produced as a result of an intrusive activity that has actually taken place are true "true positive" alerts.

Intrusion detection probes generate a very large number of alerts that can include several thousand alerts per day depending on configurations and the environment.

This excess of alerts is mainly related to false alerts. In general, of the thousands of alerts generated daily in an information system, 90 to 99 percent of alerts are false alerts.

The analysis of the cause of these false alarms shows that it is very often erratic behaviors of entities (for example servers) of the monitored network, but which are not relevant from the point of view of the security of the system. information. It can also be normal entity behaviors, whose activity is similar to intrusive activity, so that Intrusion Detection Probes (IDSs) emit alerts by mistake.

Since normal behaviors constitute the majority of an entity's activity, false alerts generated are recurrent and largely contribute to the overall excess of alerts.

Failure to take into account the information system security policy in the SDI configuration can also lead to false alerts. In any case, the nature (true or false positive) of an alert depends largely on the intrinsic properties of the monitored information system.

In the current LMS, the qualification of a true or false positive alert is left to the discretion of the security operator in charge of the alert analysis because he is the one who knows the properties of his information system. As the number of alerts generated is large, the time spent by the operator on each alert is reduced.

There are probabilistic techniques for handling alerts from intrusion detection probes to detect false alarms. These techniques are based on prior knowledge of the properties of the attacks that are referenced in the alerts, as well as on the properties of the monitored information system.

Object and summary of the invention

The object of the invention is to remedy these drawbacks, and to provide a simple method of eliminating false alerts which does not require prior knowledge and which allows a real, easy and quick diagnosis of these alerts.

• une phase d'apprentissage initial dans laquelle ledit module de suppression de fausses alertes procède à un enregistrement de diagnostics de l'opérateur humain concernant un nombre déterminé d'alertes initiales et comprenant pour une alerte initiale donnée, une extraction de l'ensemble de mots composant ladite alerte initiale donnée, et une association à chaque mot dudit ensemble de mots, d'un compteur désignant le nombre cumulé d'occurrences dudit mot dans l'une des deux catégories, et
• une phase de validation dans laquelle ledit module de suppression de fausses alertes procède à la classification de nouvelles alertes en fonction dudit enregistrement de diagnostics et d'une supervision de l'opérateur humain qui confirme ou corrige les classifications de nouvelles alertes.

These goals are achieved by a method of removing false alerts from the alerts produced in a monitored information system, in which the alerts are automatically classified by means of a false alarm suppression module according to two categories consisting of fake and real alerts according to determined criteria based on a progressive learning of said module from the expertise of a human operator in charge of an initial manual classification of alerts, said progressive learning comprising the following phases:

• an initial learning phase in which said false alarm suppression module carries out a diagnostic record of the human operator concerning a determined number of initial alerts and comprising for a given initial alert, an extraction of the set of words composing said given initial alert, and an association with each word of said set of words, of a counter designating the cumulative number of occurrences of said word in one of the two categories, and
• a validation phase wherein said false alarm removal module proceeds to classify new alerts based on said diagnostic record and human operator supervision that confirms or corrects the classifications of new alerts.

Thus, the method according to the invention facilitates the work of the security operator by allowing the MSFA to gradually learn the work of the latter to offer him at the end of this learning, automatic diagnostics on the nature of the alerts without any knowledge prior. The progressive and supervised learning of the MSFA makes it possible to take optimal account of the modifications that can be made by the security operator while at the same time making it possible to measure in a simple manner the frequency of appearance of the words in the categories of false and true alerts.

These determined criteria include a comparison of the probabilities of belonging to the alerts to one or the other of the two categories.

Thus, a probabilistic comparison technique guarantees efficient and measurable learning.

Advantageously, in the validation phase, the confirmations or corrections of the classifications of new alerts made by the human operator are used by the false alarm suppression module to minimize a correction rate allowing it to increase the reliability of any subsequent classification. new alerts.

Thus, the correction rate makes it possible to quantify the reliability of the classification of the alerts and consequently to improve any subsequent classification of new alerts.

According to another particularity of the invention, the method comprises an operational phase in which the classification of the new alerts is carried out autonomously if the rate of correction of the classification of the new alerts of the validation phase becomes less than a certain threshold number.

Thus, the correction rate provides reliable filtering for the transition to an autonomous classification phase of the new alerts.

According to yet another particularity of the invention, in the operational phase, the false alarms can be deleted or stored in a storage means and only the real alerts are sent to an alarm presentation console (CPA).

Thus, the volume of alerts to be presented to the human operator in charge of security is greatly reduced.

• extraction de l'ensemble de mots composant ladite nouvelle alerte donnée,
• comparaison des probabilités d'appartenance de la nouvelle alerte donnée à l'une et à l'autre desdites catégories,
• classement de la nouvelle alerte donnée dans l'une des deux catégories selon le résultat de la comparaison de l'étape précédente,
• incrémentation des compteurs selon la catégorie de la nouvelle alerte donnée, et
• transmission de la nouvelle alerte donnée ainsi classée à la console de présentation des alertes.

The classification of the alerts during the validation phase and the operational phase includes, for a new alert given, the following steps:

• extracting the set of words composing said new alert given,
• comparison of the probabilities of belonging to the new alert given to one and the other of these categories,
• classification of the new alert given in one of the two categories according to the result of the comparison of the previous step,
• incrementation of the counters according to the category of the new alert given, and
• transmission of the new alert thus classified to the alert presentation console.

Thus, by using the set of words constituting the alerts and their associated counters according to the steps above, the alerts can be classified with a continuously increasing reliability.

• calculer pour chaque mot de l'ensemble de mots de ladite nouvelle alerte, la probabilité que chaque mot soit présent dans des alertes appartenant à l'une ou à l'autre des catégories en déterminant le rapport entre le compteur désignant le nombre cumulé d'occurrences de chaque mot dans des alertes de l'une ou l'autre des catégories et le nombre total d'occurrences de mots dans l'une ou l'autre des catégories respectivement,
• calculer la probabilité de chaque catégorie en déterminant le rapport entre le nombre total d'occurrences de mots dans des alertes de chaque catégorie et le nombre total de mots,
• calculer le produit, sur l'ensemble des mots composant l'alerte, des probabilités que chaque mot respectif de l'alerte soit présent dans des alertes appartenant à chaque catégorie multiplié par la probabilité de chaque catégorie, et
• comparer le résultat de l'étape précédente selon les deux catégories.

The comparison of the probabilities of membership of the new alert given to one and the other of these categories comprises the following steps:

• calculate for each word of the set of words of said new alert, the probability that each word is present in alerts belonging to one or other of the categories by determining the ratio between the counter designating the cumulative number of occurrences of each word in alerts in either category and the total number of occurrences of words in either category respectively,
• calculate the probability of each category by determining the ratio between the total number of occurrences of words in alerts of each category and the total number of words,
• calculate the product, on all the words making up the alert, of the probabilities that each respective word of the alert is present in alerts belonging to each category multiplied by the probability of each category, and
• compare the result of the previous step according to the two categories.

Thus, the steps above take advantage of the counters to compare the probabilities of belonging of a given alert to one and the other of the categories with an optimal number of calculation steps, thus minimizing the time of calculation.

• correction de la catégorie d'une nouvelle alerte précédemment classée par ledit module, s'il reçoit une notification de l'opérateur humain indiquant que ledit précédent classement de ladite nouvelle alerte est faux,
• décrémentation des compteurs désignant les nombres cumulés d'occurrences de mots dans la catégorie faussement classée,
• incrémentation des compteurs désignant les nombres cumulés d'occurrences de mots dans la catégorie corrigée.

Advantageously, the correction by the false alarm suppression module of the classification of new alerts during the validation phase comprises the following steps:

• correction of the category of a new alert previously classified by said module, if it receives a notification from the human operator indicating that said previous classification of said new alert is false,
• decrementation of counters denoting cumulative numbers of occurrences of words in the misclassified category,
• incrementation of the counters designating the cumulative numbers of occurrences of words in the corrected category.

Thus, the setting of the meters is an efficient and fast way to improve the learning of the MSFA.

• des moyens de traitement de données permettant de classer automatiquement les alertes suivant deux catégories constituées de fausses et vraies alertes selon des critères déterminés basés sur un apprentissage progressif à partir de l'expertise d'un opérateur humain en charge d'un classement initial manuel des alertes, et
• des moyens mémoires permettant d'enregistrer, lors d'une phase d'apprentissage initial de l'apprentissage progressif, des diagnostics de l'opérateur humain concernant un nombre déterminé d'alertes initiales en permettant pour une alerte initiale donnée d'extraire l'ensemble de mots composant ladite alerte initiale donnée et en associant à chaque mot dudit ensemble de mots, un compteur désignant le nombre cumulé d'occurrences dudit mot dans l'une des deux catégories,

les moyens de traitement de données permettant en outre de procéder à la classification de nouvelles alertes en fonction dudit enregistrement de diagnostics et d'une supervision de l'opérateur humain qui confirme ou corrige les classifications de nouvelles alertes.The invention also provides a false alarm suppression module comprising:

• data processing means for automatically classifying the alerts according to two categories consisting of false and true alerts according to determined criteria based on a progressive learning from the expertise of a human operator in charge of an initial manual classification of alerts, and
• memory means for recording, during an initial learning phase of the progressive learning, diagnostics of the human operator concerning a given number of initial alerts by allowing for a given initial alert to extract the set of words composing said given initial alert and associating with each word of said set of words, a counter designating the cumulative number of occurrences of said word in one of the two categories,

the data processing means further making it possible to classify new alerts according to said diagnostic record and a human operator's supervision which confirms or corrects the classifications of new alerts.

Advantageously, during an operational phase, the data processing means are also intended to autonomously classify new alerts if a correction rate of the classification of the new alerts of the validation phase becomes less than a determined threshold number. .

Preferably, the module further comprises a storage means for storing, during the operational phase, the false alarms so that only the real alerts are sent to an alert presentation console.

The invention is also directed to a monitored information system comprising an internal network to be monitored, intrusion detection probes, an alert management system, an alert presentation console, and a false alarm suppression module. according to the characteristics above.

Brief description of the drawings

• la figure 1 est une vue très schématique d'un système d'informations surveillé comportant un module de suppression de fausses alertes selon l'invention ; et
• la figure 2 est un organigramme très schématique illustrant les étapes d'un procédé de suppression de fausses alertes parmi les alertes produites dans un système de sécurité d'informations, selon l'invention.

Other features and advantages of the invention will appear on reading the description given below, by way of indication but not limitation, with reference to the accompanying drawings, in which:

• the figure 1 is a very schematic view of a monitored information system comprising a false alarm suppression module according to the invention; and
• the figure 2 is a very schematic flowchart illustrating the steps of a method for suppressing false alerts among alerts produced in an information security system, according to the invention.

Detailed description of embodiments

The figure 1 illustrates a very schematic example of a network or a monitored information system 1 comprising an information security system 3, a "CPA" warning presentation console 5 and an internal network 7 to be monitored comprising a set entities, for example work stations 7a, 7b, 7c, 7d servers, web 7e etc.

The information security system 3 comprises a set 11 of "SDI" intrusion detection probes 11a, 11b and 11c for issuing alerts when attacks are detected, and an "SGA" warning management system. for analyzing alerts issued by probes 11a, 11b and 11c and including "MTA" alert processing modules 15a, 15b.

In addition, according to the invention, the information security system 3 includes an "MSFA" false alarm suppression module 17 connected to the intrusion detection probes 11a, 11b and 11c, to the alert management system. 15, and the alert presentation console 5, via a routing router 19.

Indeed, the router 19 is connected to the MSFA 17 via links 18a and 18b, to the intrusion detection probes 11a, 11b and 11c via links 13a, 13b and 13c, to the SGA 15 via links 16a and 16b, and at CPA 5 via a link 6.

The false alarm suppression module 17 comprises data processing means 21 making it possible to automatically classify (ie mark) the alerts according to two categories consisting of false and true alerts according to determined criteria based on progressive learning. from the MSFA 17 from the expertise of a human operator 23 in charge of an initial manual classification of alerts. These determined criteria include a comparison of the probabilities of belonging to the alerts to one or the other of the two categories. Thus, a computer program designed to implement a method for suppressing false alerts according to the present invention can be executed by the processing means 21 of the MSFA 17.

The MSFA 17 according to the invention is adaptive in that it progressively integrates the expertise of the human operator 23 in charge of the initial manual qualification of the false alerts and presents three successive phases of operation (see also figure 2 ).

The first phase P1 is an initial learning phase in which the MSFA 17 does not mark the alerts, it merely records the diagnoses of the human operator 23. Indeed, the MSFA 17 comprises memory means 25 allowing the processing means 21 to record diagnoses of the human operator 23 relating to a determined number of initial alerts.

The second phase P2 is a validation phase in which the data processing means 21 of the MSFA 17 proceed to the classification of new alerts as a function of the diagnostic record and a supervision of the human operator 23 which confirms or Corrects the classifications of new alerts. Indeed, when the number of alerts having passed through the MSFA 17 has reached a sufficient number, for example greater than a threshold set by the human operator 23, the MSFA 17 begins to mark the alerts, which are presented to him through the link 18a.

Advantageously, in the validation phase, the confirmations or corrections of the classifications of new alerts made by the human operator 23 are used by the false alarm suppression module 17 to minimize a correction rate enabling it to increase the reliability of any subsequent classification of new alerts.

Thus, the first and second phases of initial learning and validation form a progressive learning of the MSFA 17.

Moreover, the third phase P3 is an operational phase in which the classification of the new alerts is carried out autonomously by the processing means 21 of the MSFA 17 if the correction rate of the classification of the new alerts of the validation phase becomes lower. to a certain threshold number. Thus, the MSFA 17 marks the alerts and sends only the real alerts to the presentation console CPA 5 alerts. The false alerts are either directly deleted or stored in the memory means 25 or preferably in a storage means 27 attached via a link 26. The choice between deleting or storing false alerts can be determined by the human operator 23.

Thus, the MSFA 17 is intended to process the alerts coming directly from the SDIs 11a, 11b, 11c via the links 13a, 13b, 13c and 18a or possibly other MTAs 15a, 15b via links 16b and 18a. Each alert generated by an SDI 11a, 11b, 11c or an MTA 15a, 15b is submitted to the MSFA 17 for analysis. The MSFA 17 marks the alerts that it deems to be false alerts and submits them (links 18b, 16a) to the SGA 15. The alert with its marking is then sent (links 16b, 6) to the CPA 5 to be there. consulted by the human security operator.

It will be noted that during the second and third phases, the human operator 23 can still intervene, for example via a direct link 8 with the MSFA 17 to revise the diagnostics of the latter. Indeed, in the event of error of qualification of an alert by the MSFA 17, the human operator 23 has the possibility of correcting the diagnosis of the MSFA 17 a posteriori via the CPA 5. This correction is transmitted (link 8) to the MSFA 17, which thus revises its subsequent diagnoses taking into account the correction made by the human operator 23.

Thus, the learning of the MSFA 17 is supervised by the human security operator 23 who teaches the latter to classify the alerts. In addition, this learning is progressive because at the beginning, the MSFA 17 makes marking errors and as the human security operator 23 confirms or invalidates the markings, the diagnosis of the MSFA 17 becomes more reliable. Finally, when the filtering of the MSFA 17 is sufficiently reliable, that is to say that its classification error rate is tolerable, the alerts identified as false alerts (false positives) can be either directly deleted or stored in the storage means 27 appendix so that only the real alerts (true positives) are presented to the human operator 23. The work of the human operator 23 is thus facilitated because the volume of alerts presented to him is very reduced.

Thus, the criterion for deciding whether an alert is a true or a false positive is based on a comparison of the probabilities of membership of the alerts to one and the other of the two categories.

In general, an "alert" has (or simply alert a) can be defined as a set of n words m _{i ∈ {1, ···. n }} , where n is an integer that can vary from one alert to another: a = ( m ₁ , ..., m _n ).

The words of an alert refer, for example, to the nature of an attack against the information system 1, the identity of the victims, the alleged identity of the attackers, the type of fault exploited, and the date.

According to the invention, since a warning has the problem to solve Q is whether the probability that the alert has either a false positive is greater than the probability that the alert is a true positive. If this is the case, then the alert a is marked as "false positive" otherwise the alert a is unchanged (that is, considered as "true positive").

P denotes (vp | m _1, ..., m _n) the probability that an alert containing the words m _1, ..., m _n is a true positive vp and P (fp | m _1. .., m _n) the probability that an alert containing the words m _1, ..., m _n is a false positive fp.

Cependant, d'après la définition des probabilités conditionnelles : $$P\left(\mathit{fp}\right|m_1,\dots ,m_n)=\frac{P\left(\mathit{fp},m_1\dots ,m_n\right)}{\mathit{P}\left(m_1,\dots ,m_n\right)}\mathrm{et}\mathit{P}\left(\mathit{vp}|m_1,\dots ,m_n\right)=\frac{P\left(\mathit{vp},m_1\dots ,m_n\right)}{\mathit{P}\left(m_1,\dots ,m_n\right)}\mathrm{.}$$

The Q problem is therefore to determine whether $$P(\mathit{fp},m_1,...,m_{\mathrm{not}})\le \mathit{P}\left(\mathit{vp}|m_1,...,m_{\mathrm{not}}\right)$$

However, according to the definition of conditional probabilities: $$P\left(\mathit{fp}\right|m_1,...,m_{\mathrm{not}})=\frac{P\left(\mathit{fp},m_1...,m_{\mathrm{not}}\right)}{\mathit{P}\left(m_1,...,m_{\mathrm{not}}\right)}\mathrm{and}\mathit{P}\left(\mathit{vp}|m_1,...,m_{\mathrm{not}}\right)=\frac{P\left(\mathit{vp},m_1...,m_{\mathrm{not}}\right)}{\mathit{P}\left(m_1,...,m_{\mathrm{not}}\right)}\mathrm{.}$$

En outre, étant donné que P(fp|m ₁,...,m_n )=P(m ₁,...,m_n |fp).P(fp) et P(vp|m ₁,...,m_n )=P(m ₁,...,m_n |vp).P(vp) et en faisant l'hypothèse que les variables m_i sont conditionnellement indépendantes entre elles, il s'ensuit : $$P(\mathit{fp},m_1,\dots ,m_n)=P\left(m_1|\mathit{fp}\right)\dots \mathrm{P}\left({\mathrm{m}}_{\mathrm{n}}|\mathit{fp}\right)\mathrm{.}\mathrm{P}\left(\mathrm{fp}\right)$$

et $$P(\mathit{vp},m_1,\dots ,m_n)=P\left(m_1|\mathit{vp}\right)\dots \mathrm{P}\left({\mathrm{m}}_{\mathrm{n}}|\mathit{vp}\right)\mathrm{.}\mathrm{P}\left(\mathrm{vp}\right)\mathrm{.}$$

Therefore, the problem Q is reduced to determining if $$P(\mathit{fp},m_1,...,m_{\mathrm{not}})\le \mathit{P}\left(\mathit{vp},,m_1,...,m_{\mathrm{not}}\right)\mathrm{.}$$

Furthermore, since P ( fp | m ₁ , ..., m _n ) = P ( m ₁ , ..., m _n | fp ) .P (fp) and P ( vp | m ₁ , ..., m _n ) = P ( m ₁ , ..., m _n | vp ) .P (vp) and assuming that the variables m _i are conditionally independent of each other it follows: $$P(\mathit{fp},m_1,...,m_{\mathrm{not}})=P\left(m_1|\mathit{fp}\right)...\mathrm{P}\left({\mathrm{m}}_{\mathrm{not}}|\mathit{fp}\right)\mathrm{.}\mathrm{P}\left(\mathrm{fp}\right)$$

and $$P(\mathit{vp},m_1,...,m_{\mathrm{not}})=P\left(m_1|\mathit{vp}\right)...\mathrm{P}\left({\mathrm{m}}_{\mathrm{not}}|\mathit{vp}\right)\mathrm{.}\mathrm{P}\left(\mathrm{vp}\right)\mathrm{.}$$

The values P ( m _i | C ) represent the probability that a word m _i is present in an alert that belongs to the class or category C ∈ { vp, fp }.

During the learning of the MSFA 17, the processing means 21 build counters H _C which indicate the frequency of the different words in the two categories C ∈ { vp, fp }. Indeed, the MSFA 17 builds a first hash table H _fp which associates with each word m _i the value H _fp ( m _i ) which designates the cumulative number of occurrences of the word m _i in alerts which are false positives, as well as a second hash table H _vp which associates with each word m _i the value H _vp ( m _i ) which designates the cumulative number of occurrences of the word m _i in alerts which are true positives. In the following, the word notation ( H _C ) designates the definition domain of the hash table H _C , that is to say the set of words corresponding to the category C ∈ { vp, fp }.

Therefore, the total number of occurrences of words in true positives is given by the following formula: $${\mathrm{NOT}}_{\mathit{vp}}={\displaystyle \underset{m_i\in \mathit{words}\left(H_{\mathit{vp}}\right)}{\Sigma }}{H}_{\mathit{vp}}\left(m_i\right)\mathrm{.}$$

Similarly, the total number of occurrences of words in false positives is given by the following formula: $${\mathrm{NOT}}_{\mathit{fp}}={\displaystyle \underset{m_i\in \mathit{words}\left(H_{\mathit{fp}}\right)}{\Sigma }}{H}_{\mathit{fp}}\left(m_i\right)$$

En outre, la probabilité d'une classe C est donnée par la formule suivante : $$P\left(C\right)=\frac{N_C}{{\mathit{N}}_{\mathit{vp}}\mathit{+}{\mathit{N}}_{\mathit{fp}}}$$

Par conséquent, les deux dernières formules permettent de calculer les probabilités P(fp,m ₁,...,m_n ) et P(vp,m ₁,...,m_n ) et ainsi de résoudre le problème Q ci-dessus.Moreover, the probability that a word m _i is present in an alert that belongs to the class C ∈ { vp, fp } is given by the following formula: $$P\left(m_i|\mathrm{VS}\right)=\frac{H_{\mathrm{VS}}\left(m_i\right)}{{\mathrm{NOT}}_{\mathrm{VS}}}$$

In addition, the probability of a class C is given by the following formula: $$P\left(\mathrm{VS}\right)=\frac{{\mathrm{NOT}}_{\mathrm{VS}}}{{\mathit{NOT}}_{\mathit{vp}}\mathit{+}{\mathit{NOT}}_{\mathit{fp}}}$$

Therefore, the last two formulas make it possible to calculate the probabilities P ( fp, m ₁ , ..., m _n ) and P ( vp, m ₁ , ..., m _n ) and thus to solve the problem Q ci- above.

The figure 2 is a very schematic flowchart illustrating the steps of the false alarm removal method among the alerts produced in an information security system 3.

Steps E1 to E3 describe the recording in the memory means 25 of the MSFA 17 of the diagnoses of the human operator 23 during the initial learning phase P1.

In step E1, the MSFA 17 receives an initial alert given to '.

In step E2, the MSFA 17 proceeds to extract the set of words m ' _i composing this initial alert given: a ' = ( m ' ₁ , ..., m ' _n ).

In step E3, the MSFA 17 associates with each word m ' _i of the set of words { m ' ₁ , ..., m ' _n }, a counter H _C (m' _i ) designating the cumulative number of occurrences of the word m ' _i in one of two categories C ∈ { vp, fp }.

Step E4 is a test intended to verify whether the number of alerts that have passed through the MSFA 17 has reached a sufficient number. Thus, when the number of alerts is less than a threshold number set for example by the human operator 23, it loops back to step E1.

On the other hand, if the number of alerts is not less than the threshold number, then we go to the steps E5 to E14 describing the classification of the alerts, by the MSFA 17 during the validation phase P2.

It will be noted that in the initial learning phase P1, no marking is performed by the MSFA 17.

Step E5 indicates the receipt by the MSFA 17 of a new alert given a .

In step E6, the MSFA 17 proceeds to extract the set of words m _i composing this new alert given a = ( m ₁ , ..., m _n ).

Cette comparaison peut comporter les sous étapes E71 à E74 suivantes :In step E7, the membership probabilities of the given new alarm had to one and the other categories are compared: $$P\left(\mathit{fp}\right|m_1,...,m_{\mathrm{not}})\le \mathit{P}\left(\mathit{vp}|m_1,...,m_{\mathrm{not}}\right)\mathrm{.}$$

This comparison may comprise the following substeps E71 to E74:

In step E71, the MSFA 17 calculates for each word m _i of the set of words { m ₁ , ..., m _n } of the new alert a , the probability that each word m _i is present in alerts. belonging to one or other of the categories C ( C ∈ { vp, fp }) by determining the ratio between the counter H _C ( m _¡ ) designating the cumulative number of occurrences of each word m _i in alerts of one or the other of the categories C and the total number N _C of occurrences of words in one or the other of the categories respectively, that is to say $P\left(m_i|\mathrm{VS}\right)=\frac{H_{\mathrm{VS}}\left(m_i\right)}{{\mathrm{NOT}}_{\mathrm{VS}}}\mathrm{.}$

In step E72, the MSFA 17 calculates the probability of each category by determining the ratio between the total number N _C of occurrences of words in alerts of each category C and the total number of words N _vp + N _fp , c that is to say, $P\left(\mathrm{VS}\right)=\frac{{\mathrm{NOT}}_{\mathrm{VS}}}{{\mathit{NOT}}_{\mathit{vp}}\mathit{+}{\mathit{NOT}}_{\mathit{fp}}}\mathrm{.}$

In step E73, the MSFA 17 calculates the product, on the set of words { m ₁ , ..., m _n } composing the new alert given a , probabilities P ( m _i | C ) that each respective word this alert is present in alerts belonging to each category multiplied by the probability of each category P ( C ), that is to say $\left({\displaystyle \underset{i}{\Pi }}P\left(m_i|\mathrm{VS}\right)\right)\mathrm{.}P\left(\mathrm{VS}\right)\mathrm{.}$

In step E74, the MSFA 17 compares the result of the preceding step according to the two categories, that is to say: $$\left({\displaystyle \underset{i}{\Pi }}P\left(m_i|\mathit{fp}\right)\right)\mathrm{.}P\left(\mathit{fp}\right)\le \left({\displaystyle \underset{i}{\Pi }}P\left(m_i|\mathrm{vp}\right)\right)\mathrm{.}\mathrm{P}\left(\mathrm{vp}\right)\mathrm{.}$$

In step E8, the new alert a is classified by the MSFA 17 in one of two categories according to the result of the comparison of the previous step E7.

In step E9, the MSFA 17 increments the counters H _C ( m _i ) according to the category C ∈ { vp , fp } of the new alert given.

Next, at step E10, the false alarm suppression module 17 transmits the given new alert thus categorized (marked) presentation console alerts CPA 5.

Optionally, the human operator 23 interacts with the MSFA 17 via the CPA 5 to correct an erroneous diagnosis made by the MSFA 17.

Indeed, in step E11, if the MSFA 17 receives a notification from the human operator 23 indicating that the previous classification C of the new alert a is false, then the MSFA 17 proceeds to the correction of the diagnosis according to the steps E12 at E14, otherwise go directly to step E15.

In step E12, the MSFA 17 corrects the category of the new alert a according to the notification of the human operator 23. In other words, the MSFA 17 brand new alert by ranking VS contrary to the previous classification C.

In step E13, the MSFA 17 decrements the counters H _C ( m _i ) designating the cumulative numbers of occurrences of words in the category C falsely classified.

In step E14, the MSFA 17 increments the counters H _VS ( m _i ) designating the cumulative number of occurrences of words in the corrected category VS .

Step E15 is a test to check whether the misclassification rate is tolerable.

Indeed, as long as the correction rate of the classification of the new alerts of the validation phase P2 is not less than a determined threshold number, it loops back to the step E5.

Otherwise, we go to the steps E16 to E22 describing the classification of the alerts, by the MSFA 17 during the operational phase P3. The steps E16 to E21 are similar to the steps E5 to E10 of the validation phase P2.

Indeed, upon receipt of another new alert a in step E16, the MSFA 17 proceeds to extract in step E17, the set of words m _i component this new alert a = ( m ₁ , .. ., m _n ). Step E18 is a comparison of the probabilities of belonging to this new alert to one and the other of the categories. Step E19 is the classification of the new alert. Step E20 consists of incrementing the counters according to the classification category of the new alert. In step E21, the MSFA 17 transmits the new alert thus classified to the CPA 5.

Finally, in step E22 the false alarms are stored in the storage means 27. As an alternative to the step E22 the false alarms can be deleted.

Thus, the MSFA 17 according to the invention, evaluates the probability that an alert is a false positive depending on the words that compose it. The MSFA 17 marks the alerts which it judges to be false positives and transmits the alert with its marking to the human security operator 23. The latter has the possibility of modifying the diagnosis made by the MSFA 17 if it is erroneous via the presentation console CPA 5 alerts. In the latter case, the modification is taken into account by the MSFA 17 to revise its subsequent diagnoses. .

In this way, the reliability of the MSFA 17 in the processing of alerts is increasing as the human operator 23 corrects his diagnoses.

Claims (12)

1. Method for suppressing false alerts among the alerts produced in a monitored information system (1), Characterized in that the alerts are categorized automatically, by means of a module (17) for suppressing false alerts, into two categories formed of false and true alerts according to determined criteria based on progressive training of the said module (17) through the expertise of a human operator (23) responsible for an initial manual categorization of alerts, the said progressive training including the following phases:

   - an initial training phase (P1) in which the said module (17) for suppressing false alerts records diagnostics of the human operator (23) relating to a determined number of initial alerts and comprising, for a given initial alert, an extraction of the set of words forming the said given initial alert, and an association with each word of the said set of words, of a counter indicating the cumulative number of occurrences of the said word in one of the two categories, and

   - a validation phase (P2) in which the said module (17) for suppressing false alerts categorizes new alerts according to the said diagnostics recording and according to a supervision action by the human operator (23) who confirms or corrects the categorizations of new alerts.
2. Method according to Claim 1, characterized in that the said determined criteria include a comparison of probabilities that the alerts belong to one and to the other of the said two categories.
3. Method according to Claim 1, characterized in that, in the validation phase (P2), the said confirmations or corrections of categorizations of new alerts introduced by the human operator (23) are used by the module (17) for suppressing false alerts to minimize a correction rate, enabling it to improve the reliability of any further categorization of new alerts.
4. Method according to Claim 3, characterized in that it includes an operational phase (P3) in which new alerts are categorized autonomously if the correction rate of the categorization of new alerts in the validation phase (P2) becomes less than a determined threshold number.
5. Method according to Claim 4, characterized in that, in the operational phase (P3), the false alerts are suppressed or stored in a storage means (27) and only the true alerts are sent to an alert presentation console (5).
6. Method according to any one of Claims 1 to 5, characterized in that the categorization of alerts during the validation phase (P2) and the operational phase (P3) includes, for a given new alert, the following steps:

   - extracting the set of words forming the said given new alert,

   - comparing probabilities that the given new alert belongs to one and to the other of the said categories,

   - categorizing the given new alert in one of the two categories according to the result of the comparison in the previous step,

   - incrementing counters according to the category of the given new alert, and

   - transmitting the given new alert thus categorized to the alert presentation console (5).
7. Method according to Claim 6, characterized in that the comparison of probabilities that the given new alert belongs to one and to the other of the said categories includes the following steps:

   - calculating for each word of the set of words of the said new alert the probability that each word is present in alerts belonging to one or to the other of the categories by determining the ratio between the counter indicating the cumulative number of occurrences of each word in alerts of one or the other of the categories and the total number of occurrences of words in one or the other of the categories respectively,

   - calculating the probability of each category by determining the ratio between the total number of occurrences of words in alerts of each category and the total number of words,

   - calculating the product, on the set of words forming the alert, of the probabilities that each respective word of the alert is present in alerts belonging to each category multiplied by the probability of each category, and

   - comparing the result of the previous step according to the two categories.
8. Method according to any one of Claims 1 to 7, characterized in that the correction, by the said module (17) for suppressing false alerts, of the categorization of new alerts during the validation phase (P2) includes the following steps:

   - correcting the category of a new alert previously categorized by the said module (17) if it receives a notification from the human operator (23) indicating that the said previous categorization of the said new alert is false,

   - decrementing counters indicating the cumulative numbers of occurrences of words in the falsely categorized category,

   - incrementing counters indicating the cumulative numbers of occurrences of words in the corrected category.
9. Module for suppressing false alerts, characterized in that it includes:

   - data processing means (21) for automatically categorizing the alerts into two categories formed of false and true alerts according to determined criteria based on progressive training through the expertise of a human operator (23) responsible for an initial manual categorization of alerts, and

   - memory means (25) for recording, during an initial training phase of the progressive training, diagnostics of the human operator (23) relating to a determined number of initial alerts, enabling for a given initial alert the extraction of the set of words forming the said given initial alert and associating with each word of the said set of words a counter indicating the cumulative number of occurrences of the said word in one of the two categories,

   the data processing means (21) additionally providing for categorizing new alerts according to the said diagnostics recording and according to a supervision action by the human operator (23) who confirms or corrects the categorizations of new alerts.
10. Module according to Claim 9, characterized in that, during an operational phase (P3), the data processing means (21) are additionally intended to autonomously categorize new alerts if a correction rate of the categorization of new alerts in the validation phase (P2) becomes less than a determined threshold number.
11. Module according to Claim 10, characterized in that it additionally includes a storage means (27) for storing, during the operational phase, the false alerts such that only the true alerts are sent to an alert presentation console (5).
12. Monitored information system including an internal network to be monitored (7), intrusion detection probes (11a, 11b, 11c), an alert management system (15) and an alert presentation console (5), characterized in that it additionally includes a module (17) for suppressing false alerts according to any one of Claims 9 to 11.

Images