Analyzing Root Causes of Intrusion Detection False-Negatives: Methodology and Case Study

Intrusion Detection Systems (IDSs) are a necessary cyber defense mechanism. Unfortunately, their capability has fallen behind that of attackers. This motivates us to improve our understanding of the root causes of their false-negatives. In this paper we make a first step towards the ultimate goal of drawing useful insights and principles that can guide the design of next-generation IDSs. Specifically, we propose a methodology for analyzing the root causes of IDS false-negatives and conduct a case study based on Snort and a real-world dataset of cyber attacks. The case study allows us to draw useful insights.

[1]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[2]  Shouhuai Xu,et al.  Predicting Cyber Attack Rates With Extreme Values , 2015, IEEE Transactions on Information Forensics and Security.

[3]  Shouhuai Xu,et al.  An evasion and counter-evasion study in malicious websites detection , 2014, 2014 IEEE Conference on Communications and Network Security.

[4]  Guangmin Hu,et al.  Anomaly Detection of Network Traffic Based on Wavelet Packet , 2006, 2006 Asia-Pacific Conference on Communications.

[5]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[6]  David Brosset,et al.  A Taxonomy and Survey of Intrusion Detection System Design Techniques, Network Threats and Datasets , 2018, ArXiv.

[7]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[8]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[9]  Hiroki Takakura,et al.  A Generalized Feature Extraction Scheme to Detect 0-Day Attacks via IDS Alerts , 2008, 2008 International Symposium on Applications and the Internet.

[10]  Shouhuai Xu,et al.  Characterizing the Effectiveness of Network-Based Intrusion Detection Systems , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[11]  Shouhuai Xu,et al.  Cross-layer detection of malicious websites , 2013, CODASPY.

[12]  Shouhuai Xu,et al.  Metrics Towards Measuring Cyber Agility , 2019, IEEE Transactions on Information Forensics and Security.

[13]  Shingo Mabu,et al.  Integrated fuzzy GNP rule mining with distance-based classification for intrusion detection system , 2012, 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[14]  Shouhuai Xu,et al.  Extracting attack narratives from traffic datasets , 2016, 2016 International Conference on Cyber Conflict (CyCon U.S.).

[15]  Samuel Kounev,et al.  Evaluating Computer Intrusion Detection Systems , 2015, ACM Comput. Surv..

[16]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[17]  Shouhuai Xu,et al.  STRAM: Measuring the Trustworthiness of Computer-Based Systems , 2019, ACM Comput. Surv..

[18]  Mahesh Shirole,et al.  Benchmarking datasets for Anomaly-based Network Intrusion Detection: KDD CUP 99 alternatives , 2018, 2018 IEEE 3rd International Conference on Computing, Communication and Security (ICCCS).

[19]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[20]  Shouhuai Xu,et al.  Cybersecurity dynamics , 2014, HotSoS '14.

[21]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[22]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[23]  Shouhuai Xu,et al.  Cybersecurity Dynamics: A Foundation for the Science of Cybersecurity , 2020, Proactive and Dynamic Network Defense.