Data mining and machine learning - Towards reducing false positives in intrusion detection

Information Security Technical Report

Volumn 10, Issue 3, 2005, Pages 169-183

  Pietraszek, Tadeusz ^a,b   Tanner, Axel ^a  

^a IBM RESEARCH ZURICH   (Switzerland)

^b UNIVERSITY OF FREIBURG   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ALERT-MANAGEMENT SYSTEM; INTRUSION DETECTION SYSTEMS (IDSS);

COMPUTER SYSTEMS; DATA MINING; DATA REDUCTION; LEARNING SYSTEMS; MONTE CARLO METHODS;

SECURITY OF DATA;

EID: 27644590551     PISSN: 13634127     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.istr.2005.07.001     Document Type: Article

References (44)

1. James P. Anderson Computer security threat monitoring and surveillance Technical report 1980 James P. Anderson Co
2. Stefan Axelsson The base-rate fallacy and its implications for the intrusion detection Proceedings of the 6th ACM conference on computer and communications security 1999 Kent Ridge Digital Labs Singapore 1 7
3. Steven M. Bellowin Packets found on an internet Computer Communications Review 23 3 1993 26 31
4. Eric Bloedorn, Bill Hill, Alan Christiansen, Clem Skorupka, Lisa Talbot, and Jonathan Tivel Data mining for improving intrusion detection Technical report 2000 MITRE corporation
5. William W. Cohen Fast effective rule induction Armand Prieditis Stuart Russell Proceedings of the 12th international conference on machine learning 1995 Morgan Kaufmann Tahoe City, CA 115 123
6. Frédéric Cuppens. Managing alerts in multi-intrusion detection environment. In: Proceedings 17th annual computer security applications conference. New Orleans; 2001. p. 22-31.
7. Frédéric Cuppens, Alexandre Miège. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy; 2002. p. 202-15.
8. Frédéric Cuppens, Fabien Autrel, Alexandre Miège, Salem Benferhat. Correlation in an intrusion detection process. In: Proceedings SÉcurité des communications sur internet (SECI02); 2002. p. 153-71.
9. Olivier Dain, Robert K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM workshop on data mining for security application. Philadelphia, PA; 2001. p. 1-13.
10. Hervé Debar, and Andreas Wespi Aggregation and correlation of intrusion-detection alerts Recent advances in intrusion detection (RAID2001) Lecture notes in computer science vol. 2212 2001 Springer-Verlag p. 85-103
11. Dorothy E. Denning An intrusion detection model IEEE Transactions on Software Engineering SE-13 2 1987 222 232
12. Tom Fawcett ROC graphs: note and practical considerations for researchers (HPL-2003-4) Technical report 2003 HP Laboratories
13. Jiawei Han, Yandong Cai, and Nick Cercone Knowledge discovery in databases: an attribute-oriented approach Proceedings 18th international conference on very large databases (VLDB) Aug. 1992 Vancouver Canada 547 559
14. J. Han, Y. Cai, and N. Cercone Data-driven discovery of quantitative rules in relational databases IEEE Transactions on Knowledge and Data Engineering 5 1 1993 29 40
15. IBM. Tivoli Risk Manager User's Guide. Version 4.1; 2002.
16. Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE computer security foundations workshop (CSFW 2002); 2002. p. 49-63.
17. Klaus Julisch. Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings 17th annual computer security applications conference. New Orleans, LA: Dec. 2001. p. 12-21.
18. Klaus Julisch Clustering intrusion detection alarms to support root cause analysis ACM Transactions on Information and System Security (TISSEC) 6 4 2003 443 471
19. Klaus Julisch. Using root cause analysis to handle intrusion detection alarms. PhD thesis. Germany: University of Dortmund; 2003b.
20. Klaus Julisch, and Marc Dacier Mining intrusion detection alarms for actionable knowledge Proceedings of the eighth ACM SIGKDD international conference on knowledge discovery and data mining 2002 Edmonton Alberta, Canada 366 375
21. Nada Lavrač, and Sašo Džeroski Inductive logic programming: techniques and applications Ellis Horwood 1994
22. Wenke Lee. A data mining framework for constructing features and models for intrusion detection systems. PhD thesis. Columbia University; 1999.
23. Wenke Lee, Wei Fan, Matthew Miller, Salvatore J. Stolfo, and Erez Zadok Toward cost-sensitive modeling for intrusion detection and response Journal of Computer Security 10 1-2 2002 5 22
24. Richard Lippmann, Seth Webster, and Douglas Stetson The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection Recent advances in intrusion detection (RAID2002) Lecture notes in computer science vol. 2516 2002 Springer-Verlag p. 307-26
25. Matthew V. Mahoney, and Philip K. Chan An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection Recent advances in intrusion detection (RAID2003) Lecture notes in computer science vol. 2820 2003 Springer-Verlag p. 220-37
26. Stefanos Manganaris, Marvin Christensen, Dan Zerkle, and Keith Hermiz A data mining analysis of RTID alarms Computer Networks: The International Journal of Computer and Telecommunications Networking 34 4 Oct 2000 571 577
27. Johh McHugh The 1998 lincoln laboratory IDS evaluation. A critique Recent advances in intrusion detection (RAID2000) Lecture notes in computer science vol. 1907 2000 Springer-Verlag p. 145-61
28. MIT Lincoln Laboratory DARPA intrusion detection evaluation data set Web page at 1999
29. Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducasse M2D2: a formal data model for IDS alert correlation Recent advances in intrusion detection (RAID2002) Lecture notes in computer science vol. 2516 2002 Springer-Verlag p. 115-37
30. Peng Ning, and Yun Cui An intrusion alert correlator based on prerequisities of intrusions (TR-2002-01) Technical report 2002 North Carolina State University Raleigh, NC
31. Peng Ning, Douglas S. Reeves, and Yun Cui Correlating alerts using prerequisites of intrusions (TR-2001-13) Technical report 2001 North Carolina State University Raleigh, NC
32. Peng Ning, Yun Cui, and Douglas S. Reeves Analyzing intrusion alerts via correlation Recent advances in intrusion detection (RAID2002) Lecture notes in computer science vol. 2516 2002 Springer-Verlag
33. Ning Peng, Cui Yun, Reeves Douglas S. Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security; 2002b. p. 245-54.
34. NIST ICAT metabase Web page at 2000-2004
35. Vern Paxson Bro: a system for detecting network intruders in real-time Computer Networks 31 23-24 1999 2435 2463
36. Tadeusz Pietraszek Using adaptive alert classification to reduce false positives in intrusion detection Recent advances in intrusion detection (RAID2004) Lecture notes in computer science vol. 3324 2004 Springer-Verlag Sophia Antipolis, France 102-24
37. Thomas H. Ptacek, and Timoty N. Newsham Insertion, evasion and denial of service: Eluding network intrusion detection Technical report 1998 Secure Networks Inc
38. Ronald W. Ritchey, Paul Ammann. Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy (S&P 2000); 2000. p. 156-65.
39. Martin Roesch SNORT. The open source network intrusion system Web page at 1998-2003
40. SecurityFocus BugTraq Web page at 1998-2004
41. Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, Jeannette M. Wing. Automated generation and analysis of attack graphs. In: Proceedings of the IEEE symposium on security and privacy (S&P 2002); 2002. p. 254-65.
42. Robin Sommer, Vern Paxson. Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of the 10th ACM conference on computer and communication security. Washington, DC; 2003. p. 262-71.
43. Kai Ming Ting Inducing cost-sensitive trees via instance weighting Proceedings of the second european symposium on principles of data mining and knowledge discovery Lecture notes in AI vol. 1510 1998 Springer-Verlag 139 147
44. Alfonso Valdes, and Keith Skinner Probabilistic alert correlation Recent advances in intrusion detection (RAID2001) Lecture notes in computer science vol. 2212 2001 Springer-Verlag 54-68