Reducing false positives in intrusion detection systems

被引：61

作者：

Spathoulas, Georgios P. ^{[1
,2
]}

Katsikas, Sokratis K. ^{[1
]}

机构：

[1] Univ Piraeus, Dept Technol Educ & Digital Syst, GR-18532 Piraeus, Greece

[2] Univ Cent Greece, Dept Comp Sci & Biomed Informat, GR-35100 Lamia, Greece

来源：

COMPUTERS & SECURITY | 2010年 / 29卷 / 01期

关键词：

Intrusion detection systems; False alarms; Filter; Snort; Alarms' distribution;

D O I：

10.1016/j.cose.2009.07.008

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

A post-processing filter is proposed to reduce false positives in network-based intrusion detection systems. The filter comprises three components, each one of which is based upon statistical properties of the input alert set. Special characteristics of alerts corresponding to true attacks are exploited. These alerts may be observed in batches, which contain similarities in the source or destination IPs, or they may produce abnormalities in the distribution of alerts of the same signature. False alerts can be recognized by the frequency with which their signature triggers false positives. The filter architecture and design are discussed. Evaluation results performed using the DARPA 1999 dataset indicate that the proposed approach can significantly reduce the number and percentage of false positives produced by Snort (c) (Roesch, 1999). Our filter limited false positives by a percentage up to 75%. (C) 2009 Elsevier Ltd. All rights reserved.

引用

页码：35 / 44

页数：10

共 19 条

[1] Abimbola A., 2006, ICNS 06, P87
[2] Alshammari R, 2007, CNSR 2007: PROCEEDINGS OF THE FIFTH ANNUAL CONFERENCE ON COMMUNICATION NETWORKS AND SERVICES RESEARCH, P345
[3] [Anonymous], 2003, HP INVEN
[4] BAKAR N, 2005, P 13 IEEE INT C NETW, V1, P547
[5] BRUGGER T, 2007, CSE20071 UC DAV
[6] Alarm reduction and correlation in defence of IP networks
Chyssler, T
Nadjm-Tehrani, S
Burschka, S
Burbeck, K
[J]. THIRTEENTH IEEE INTERNATIONAL WORKSHOPS ON ENABLING TECHNOLOGIES: INFRASTRUCTURE FOR COLLABORATIVE ENTERPRISES, PROCEEDINGS, 2004, : 229 - 234
[7] Clifton C, 2000, IEEE MILIT COMMUN C, P440, DOI 10.1109/MILCOM.2000.904991
[8] An intelligent detection and response strategy to false positives and network attacks
Hooper, Emmanuel
[J]. FOURTH IEEE INTERNATIONAL WORKSHOP ON INFORMATION ASSURANCE, PROCEEDINGS, 2006, : 12 - 31
[9] Julisch K., 2003, ACM Transactions on Information and Systems Security, V6, P443, DOI 10.1145/950191.950192
[10] The 1999 DARPA off-line intrusion detection evaluation
Lippmann, R
Haines, JW
Fried, DJ
Korba, J
Das, K
[J]. COMPUTER NETWORKS-THE INTERNATIONAL JOURNAL OF COMPUTER AND TELECOMMUNICATIONS NETWORKING, 2000, 34 (04): : 579 - 595

← 1 2 →