False Positives Reduction Techniques in Intrusion Detection Systems-A Review

Summary During the last decade with the growth of cyber attacks, information safety has become an important issue all over the world. Intrusion detection systems (IDSs) are an essential element for network security infrastructure and play a very important role in detecting large number of attacks. Although there are different types of intrusion detection systems, all these systems suffer a common problem which is generating high volume of alerts and huge number of false positives. This drawback has become the main motivation for many research papers in IDS area. The aim of conducted research in the field is to propose different techniques to handle the alerts, reduce them and distinguish real attacks from false positives and low importance events. This manuscript is a survey paper that represents a review of the current research related to the false positives problem. The focus will be on data mining techniques of alert reduction. This paper reviews more than 30 related studies during the last decade with the hope of providing a reference for further research in this area. Several open issues have also been addressed in this paper.

[1]  Sara Stoecklin,et al.  Distinguishing false from true alerts in Snort by data mining patterns of alerts , 2006, SPIE Defense + Commercial Sensing.

[2]  Cheng Xiang,et al.  Design of Multiple-Level Hybrid Classifier for Intrusion Detection System , 2005, 2005 IEEE Workshop on Machine Learning for Signal Processing.

[3]  Ester Yen,et al.  Data mining-based intrusion detectors , 2009, Expert Syst. Appl..

[4]  Kumar Das Protocol Anomaly Detection for Network-based Intrusion Detection , 2002 .

[5]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[6]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[7]  Tadeusz Pietraszek,et al.  Data mining and machine learning - Towards reducing false positives in intrusion detection , 2005, Inf. Secur. Tech. Rep..

[8]  N. B. Anuar,et al.  Identifying False Alarm for Network Intrusion Detection System Using Hybrid Data Mining and Decision Tree , 2008 .

[9]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  Wolfgang Banzhaf,et al.  The use of computational intelligence in intrusion detection systems: A review , 2010, Appl. Soft Comput..

[11]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[12]  A. Samsudin,et al.  False positives reduction via intrusion alert quality framework , 2005, 2005 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conf on Communic.

[13]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[14]  Hongli Zhang,et al.  New data mining technique to enhance IDS alarms quality , 2008, Journal in Computer Virology.

[15]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[16]  Hervé Debar,et al.  Processing intrusion detection alert aggregates with time series modeling , 2009, Inf. Fusion.

[17]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[18]  Risto Vaarandi Real-time classification of IDS alerts with data mining techniques , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.

[19]  Maria Papadaki,et al.  A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm , 2010, Comput. Secur..

[20]  A. Siraj,et al.  Multi-level alert clustering for intrusion detection sensor data , 2005, NAFIPS 2005 - 2005 Annual Meeting of the North American Fuzzy Information Processing Society.

[21]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[22]  Stefano Zanero,et al.  Reducing false positives in anomaly detectors through fuzzy alert aggregation , 2009, Inf. Fusion.

[23]  Hervé Debar,et al.  Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information , 2004, RAID.

[24]  Hongli Zhang,et al.  IDS alarms reduction using data mining , 2008, 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence).

[25]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[26]  Fatin Norsyafawati Mohd Sabri,et al.  Identifying False Alarm Rates for Intrusion Detection System with Data Mining , 2011 .

[27]  Risto Vaarandi,et al.  Network IDS alert classification with frequent itemset mining and data clustering , 2010, 2010 International Conference on Network and Service Management.

[28]  Fabio Roli,et al.  Alarm clustering for intrusion detection systems in computer networks , 2005, Eng. Appl. Artif. Intell..

[29]  Hongli Zhang,et al.  Reduction of false positives in intrusion detection via adaptive alert classifier , 2008, 2008 International Conference on Information and Automation.

[30]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[31]  Klaus Julisch,et al.  Using root cause analysis to handle intrusion detection alarms , 2003 .

[32]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[33]  Chris Clifton,et al.  Developing custom intrusion detection filters using data mining , 2000, MILCOM 2000 Proceedings. 21st Century Military Communications. Architectures and Technologies for Information Superiority (Cat. No.00CH37155).

[34]  Peter Mell,et al.  NIST Special Publication on Intrusion Detection Systems , 2001 .

[35]  Gisung Kim,et al.  Self-adaptive and dynamic clustering for online anomaly detection , 2011, Expert Syst. Appl..

[36]  Nashat Mansour,et al.  Filtering intrusion detection alarms , 2009, Cluster Computing.

[37]  Sokratis K. Katsikas,et al.  Reducing false positives in intrusion detection systems , 2010, Comput. Secur..

[38]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[39]  Patrick van der Smagt,et al.  Introduction to neural networks , 1995, The Lancet.