Using adaptive alert classification to reduce false positives in intrusion detection

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 3224, Issue , 2004, Pages 102-124

  Pietraszek, Tadeusz ^a  

^a IBM RESEARCH ZURICH   (Switzerland)

Author keywords

Alert classification; False positives; Intrusion detection; Machine learning

Indexed keywords

ARTIFICIAL INTELLIGENCE; LEARNING SYSTEMS; MERCURY (METAL); NETWORK SECURITY;

ALERT CLASSIFICATION; FALSE POSITIVE; INTRUSION DETECTION SYSTEMS; MACHINE LEARNING TECHNIQUES; MONITOR COMPUTER; PROTOTYPE IMPLEMENTATIONS; SECURITY VIOLATIONS; SYSTEM SUPPORTS;

INTRUSION DETECTION;

EID: 26444436687     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-30143-1_6     Document Type: Article

References (36)

1. Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co (1980).
2. Axelsson, S.: The base-rate fallacy and its implications for the intrusion detection. In: Proceedings of the 6th ACM conference on Computer and Communications Security, Kent Ridge Digital Labs, Singapore (1999) 1-7.
3. Bloedorn, E., Hill, B., Christiansen, A., Skorupka, C., Talbot, L., Tivel, J.: Data Mining for Improving Intrusion Detection. Technical report, MITRE (2000).
4. Cohen, W.W.: Fast effective rule induction. In Prieditis, A., Russell, S., eds.: Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, Morgan Kaufmann (1995) 115-123.
5. Cuppens, F.: Managing alerts in multi-intrusion detection environment. In: Proceedings 17th Annual Computer Security Applications Conference, New Orleans (2001) 22-31.
6. Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proc. of the 2001 ACM Workshop on Data Mining for Security Application, Philadelphia, PA (2001) 1-13.
7. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Recent Advances in Intrusion Detection (RAID2001). Volume 2212 of Lecture Notes in Computer Science., Springer-Verlag (2001) 85-103.
8. Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering SE-13 (1987) 222-232.
9. Domingos, P.: Metacost: A General Method for Making Classifiers Cost-Sensitive. In: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, California (1999) 155-164.
10. Fan, W.: Cost-Sensitive, Scalable and Adaptive Learning Using Ensemble-based Methods. PhD thesis, Columbia University (2001).
11. Fawcett, T.: ROC graphs: Note and practical considerations for researchers (HPL-2003-4). Technical report, HP Laboratories (2003).
12. Giraud-Carrier, C.: A Note on the Utility of Incremental Learning. AI Communications 13 (2000) 215-223.
13. Hettich, S., Bay, S.D.: The UCI KDD Archive. Web page at http://kdd.ics.uci. edu (1999).
14. Jacobson, V., Leres, C., McCanne, S.: TCPDUMP public repository. Web page at http://www.tcpdump.org/ (2003).
15. Julisch, K.: Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD thesis, University of Dortmund (2003).
16. Lavrač, N., Džeroski, S.: Inductive Logic Programming: Techniques and Applications. Ellis Horwood (1994).
17. Lee, W.: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University (1999).
18. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10 (2002) 5-22.
19. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34 (2000) 579-595.
20. Lippmann, R., Webster, S., Stetson, D.: The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In: Recent Advances in Intrusion Detection (RAID2002). Volume 2516 of Lecture Notes in Computer Science., Springer-Verlag (2002) 307-326.
21. Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Recent Advances in Intrusion Detection (RAID2003). Volume 2820 of Lecture Notes in Computer Science., Springer-Verlag (2003) 220-237.
22. Maloof, M.A., Michalski, R.S.: Incremental learning with partial instance memory. In: Proceedings of Foundations of Intelligent Systems: 13th International Symposium, ISMIS 2002. Volume 2366 of Lecture Notes in Artificial Intelligence., Springer-Verlag (2002) 16-27.
23. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34 (2000) 571-577.
24. Maria, J., Hidalgo, G.: Evaluating cost-sensitive unsolicited bulk email categorization. In: Proceedings of the 2002 ACM Symposium on Applied Computing, Springer-Verlag (2002) 615-620.
25. McHugh, J.: The 1998 Lincoln Laboratory IDS Evaluation. A critique. In: Recent Advances in Intrusion Detection (RAID2000). Volume 1907 of Lecture Notes in Computer Science., Springer-Verlag (2000) 145-161.
26. Michalski, R.: On the quasi-minimal solution of the general covering problem. In: Proceedings of the V International Symposium on Information Processing (FCIP 69) (Switching Circuits). Volume A3., Yugoslavia, Bled (1969) 125-128.
27. Mitchel, T.M.: Machine Learning. Me Graw Hill (1997).
28. Morin, B., Mé, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: Recent Advances in Intrusion Detection (RAID2002). Volume 2516 of Lecture Notes in Computer Science., Springer-Verlag (2002) 115-137.
29. Provost, F., Fawcett, T.: Robust classification for impresice environments. Machine Learning Journal 42 (2001) 203-231.
30. Quinlan, R.: C4.5: Programs for Machine Learning. Morgan Kaufman (1993).
31. Roesch, M.: SNORT. The Open Source Network Intrusion System. Web page at http://wuw.snort.org (1998-2003).
32. Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proceedings of the 10th ACM conference on Computer and Communication Security, Washington, DC (2003) 262-271.
33. Ting, K.: Inducing cost-sensitive trees via instance weighting. In: Proceedings of The Second European Symposium on Principles of Data Mining and Knowledge Discovery. Volume 1510 of Lecture Notes in AI., Springer-Verlag (1998) 139-147.
34. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Recent Advances in Intrusion Detection (RAID2001). Volume 2212 of Lecture Notes in Computer Science., Springer-Verlag (2001) 54-68.
35. Wang, J., Lee, I.: Measuring false-positive by automated real-time correlated hacking behavior analysis. In: Information Security 4th International Conference. Volume 2200 of Lecture Notes in Computer Science., Springer-Verlag (2001) 512.
36. Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools with Java implementations. Morgan Kaufmann, San Francisco (2000).