An Intelligent Detection and Response Strategy to False Positives and Network Attacks: Operation of Network Quarantine Channels and Feedback Methods to IDS

Network-based intrusion detection systems (IDSs) are designed to monitor potential attacks in network infrastructures. IDSs trigger alerts of potential attacks in network security. These alerts are examined by security analysts to see if they are benign or attacks. However these alerts consist of high volumes of false positives, which are triggered by suspicious but normal, benign connections. These high volumes of false positives make manual analysis of the alerts difficult and inefficient in real-time detection and response. In this paper, we discuss briefly the significance of false positives and their impact on intrusion detection and response. Then we propose a novel approach for an efficient intelligent detection and response through the reduction of false positives. The intelligent strategy consists of technique with multiple zones for isolation and interaction with the hosts from which the packets were sent in real-time. We propose multiple feedback methods to the IDS monitor and database to indicate the status of the alerts. These innovative approaches, using NQC and feedback mechanisms enhance the capability of the IDS to detect threats and benign attacks. This is accomplished by applying adaptive rules to the alert filters and policies of the IDS network sensors.

[1]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[2]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[3]  Insup Lee,et al.  Measuring False-Positive by Automated Real-Time Correlated Hacking Behavior Analysis , 2001, ISC.

[4]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[5]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[6]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[7]  Richard Lippmann,et al.  The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection , 2002, RAID.

[8]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[9]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[10]  Ari Juels,et al.  $evwu Dfw , 1998 .

[11]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[13]  William H. Cunningham,et al.  Optimal attack and reinforcement of a network , 1985, JACM.

[14]  Angelos D. Keromytis,et al.  A network worm vaccine architecture , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[15]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[16]  Prem Uppuluri,et al.  Building survivable systems: an integrated approach based on intrusion detection and damage containment , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[17]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[18]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[19]  Vasant Honavar,et al.  Intelligent agents for intrusion detection , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).