Intrusion Detection Systems (IDSs) are widely deployed with increasing of unauthorized activities and attacks. However they often overload security managers by triggering thousands of alerts per day. And up to 99% of these alerts are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to correctly analyze security state and react to attacks. In this chapter the authors describe a novel system for reducing false positives in intrusion detection, which is called ODARM (an Outlier Detection-Based Alert Reduction Model). Their model based on a new data mining technique, outlier detection that needs no labeled training data, no domain knowledge and little human assistance. The main idea of their method is using frequent attribute values mined from historical alerts as the features of false positives, and then filtering false alerts by the score calculated based on these features. In order to filter alerts in real time, they also design a two-phrase framework that consists of the learning phrase and the online filtering phrase. Now they have finished the prototype implementation of our model. And through the experiments on DARPA 2000, they have proved that their model can effectively reduce false positives in IDS alerts. And on real-world dataset, their model has even higher reduction rate.
[1]
Klaus Julisch,et al.
Clustering intrusion detection alarms to support root cause analysis
,
2003,
TSEC.
[2]
Tomasz Imielinski,et al.
Database Mining: A Performance Perspective
,
1993,
IEEE Trans. Knowl. Data Eng..
[3]
Stefanos Manganaris,et al.
A Data Mining Analysis of RTID Alarms
,
2000,
Recent Advances in Intrusion Detection.
[4]
Zengyou He,et al.
FP-outlier: Frequent pattern based outlier detection
,
2005,
Comput. Sci. Inf. Syst..
[5]
Yannis Manolopoulos,et al.
Robust Classification Based on Correlations Between Attributes
,
2007,
Int. J. Data Warehous. Min..
[6]
Sabine Loudcher,et al.
A Data Mining-Based OLAP Aggregation of Complex Data: Application on XML Documents
,
2006,
Int. J. Data Warehous. Min..
[7]
Peng Ning,et al.
Techniques and tools for analyzing intrusion alerts
,
2004,
TSEC.