Reducing false positives in intrusion detection systems

Computers and Security

Volumn 29, Issue 1, 2010, Pages 35-44

  Spathoulas, Georgios P ^a,b   Katsikas, Sokratis K ^b  

^a UNIVERSITY OF CENTRAL GREECE   (Greece)

^b UNIVERSITY OF PIRAEUS   (Greece)

Author keywords

Alarms' distribution; False alarms; Filter; Intrusion detection systems; Snort

Indexed keywords

DATA SETS; EVALUATION RESULTS; FALSE ALARMS; FALSE POSITIVE; FILTER ARCHITECTURE; IN-NETWORK; INTRUSION DETECTION SYSTEMS; POST-PROCESSING FILTERS; STATISTICAL PROPERTIES; THREE COMPONENT;

ALARM SYSTEMS; COMPUTER CRIME; ERRORS;

INTRUSION DETECTION;

EID: 71649091715     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.07.008     Document Type: Article

References (19)

1. Abimbola A.A., Munoz J.M., and Buchanan W.J. Investigating false positive reduction in http via procedure analysis. ICNS '06: proceedings of the international conference on networking and services (2006), IEEE Computer Society, Washington, DC, USA 87-93
2. Alshammari R., Sonamthiang S., Teimouri M., and Riordan D. Using neuro-fuzzy approach to reduce false positive alerts. CNSR '07: proceedings of the fifth annual conference on communication networks and services research (2007), IEEE Computer Society, Washington, DC, USA 345-349
3. Bakar N., Belaton B., and Samsudin A. False positives reduction via intrusion alert quality framework. Proc. 13th IEEE international conference on networks jointly held with the 2005 IEEE 7th Malaysia international conference on communication vol. 1 (2005) 547-552
4. Brugger T, Chow J. An assessment of the DARPA IDS evaluation dataset using Snort. UC Davis Technical Report CSE-2007-1, Davis; 2007.
5. Chyssler T., Nadjm-Tehrani S., Burschka S., and Burbeck K. Alarm reduction and correlation in defence of ip networks. Proc. 13th IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises WET ICE 2004 (2004) 229-234
6. Clifton C., and Gengo G. Developing custom intrusion detection filters using data mining. Proc. 21st century Military Communications MILCOM 2000 vol. 1 (2000) 440-443
7. Fawcett T. Roc graphs: notes and practical considerations for researchers. Technical report; 2003.
8. Hooper E. An intelligent detection and response strategy to false positives and network attacks. Proc. fourth IEEE International Workshop on Information Assurance IWIA 2006 (13-14 April 2006) 20-31
9. Julisch K. Clustering intrusion detection alarms to support root cause analysis. ACM Trans Inf Syst Secur 6 4 (2003) 443-471
10. Lippmann R., Haines J.W., Fried D.J., Korba J., and Das K. The 1999 darpa off-line intrusion detection evaluation. Comput Netw 34 (2000) 579-595
11. Lippmann R.P., Fried D.J., Graf I., Haines J.W., Kendall K.R., Mcclung D., et al. Evaluating intrusion detection systems: the 1998 darpa off-line intrusion detection evaluation. DARPA information survivability conference and exposition, 2000. DISCEX '00. proceedings vol. 2 (2000) 12-26 IEEE Comput. Soc
12. Manganaris S., Christensen M., Zerkle D., and Hermiz K. A data mining analysis of rtid alarms. Comput Netw 34 4 (2000) 571-577
13. Morin B., and Debar H. Correlation of intrusion symptoms: an application of chronicles. Proceedings of the 6th international conference on Recent Advances in Intrusion Detection (RAID'03) (2003) 94-112
14. Pietraszek T. Using adaptive alert classification to reduce false positives in intrusion detection. Proceedings of the symposium on Recent Advances in Intrusion Detection (RAID'04) (2004), Springer 102-124
15. Pietraszek T., and Tanner A. Data mining and machine learning-towards reducing false positives in intrusion detection. Inform Secur Tech Rep 10 3 (2005) 169-183
16. Roesch M. Snort - lightweight intrusion detection for networks. LISA '99: proceedings of the 13th USENIX conference on system administration (1999), USENIX Association, Berkeley, CA, USA 229-238
17. Shafer G. A mathematical theory of evidence (1976), Princeton University Press
18. Tian Z, Zhang W, Ye J, Yu X, Zhang H. Reduction of false positives in intrusion detection via adaptive alert classifier. In: Information and Automation, 2008. ICIA 2008. International Conference on. p. 1599-1602; June 2008.
19. Viinikka J., and Debar H. Monitoring IDS background noise using EWMA control charts and alert information (2004), Springer p. 166-187