Evolutivité d'une architecture en temps réel de filtrage d’alertes générées par les systèmes de détection d’intrusions sur les réseaux.
It is a well-known problem that intrusion detection systems (NIDS) overload their human operators by triggering thousands of alarms per day. These limitations are caused by the absence of a mechanism that can preprocess and filter the massive number of alerts from IDS. In our past work, we proposed an architecture for filtering the alarms generated by the NIDS. This architecture is a combination of unsupervised classification methods like self-organizing maps (SOM) and probabilistic graphical models like Bayesian Networks used here in supervised classification framework. However, exploiting this architecture in real time will pose several challenges on its behavior. In this work, we underline three problems to be solved : first, the evolution of the monitored platform (integration of new machines or network equipments), second, the apparition of new attacks and third, the evolution of user behavior-types. For the resolution of these problems and especially the last one, we used the distance rejection concept and some statistical hypothesis tests. Then, we propose four statistical indicators as entries of a decision function for the re-learning of the entire system. Finally, the validity of all these indicators is tested by experiments made on real logs extracted from a NIDS that control the network of "Rectorat de Rouen".