False positive reduction in intrusion detection system: A survey

Since the first intrusion detection system and up to this moment all IDSs had generated thousands and thousands of alerts and most of these alerts are false alerts, which lead the researchers to develop an idea to reduce the rate of the alerts or at least the false alerts of them. One of the ideas was to create correlation methods which cover the problem of dealing with the huge amount of both real alerts as well as false alerts. The techniques used in this area plan to help the analyst party to analyze these alerts to distinguish between alerts generated by real attacks and legal traffic. This paper will highlight the false positive reduction techniques surrounding this area.

[1]  Salvatore J. Stolfo,et al.  Adaptive Intrusion Detection: A Data Mining Approach , 2000, Artificial Intelligence Review.

[2]  William Yurcik,et al.  Controlling intrusion detection systems by generating false positives: squealing proof-of-concept , 2002, 27th Annual IEEE Conference on Local Computer Networks, 2002. Proceedings. LCN 2002..

[3]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Rafeeq Ur Rehman,et al.  Intrusion Detection with SNORT (Bruce Perens' Open Source Series): Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID , 2003 .

[5]  LiaoYihua Use of K-Nearest Neighbor classifier for intrusion detection11An earlier version of this paper is to appear in the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, August 2002 , 2002 .

[6]  Tei-Wei Kuo,et al.  Scenario based threat detection and attack analysis , 2005, Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology.

[7]  A. Samsudin,et al.  False positives reduction via intrusion alert quality framework , 2005, 2005 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conf on Communic.

[8]  Aurobindo Sundaram,et al.  An introduction to intrusion detection , 1996, CROS.

[9]  Dan Gorton,et al.  Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance , 2003 .

[10]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[11]  Bahari Belaton,et al.  Towards implementing intrusion alert quality framework , 2005, First International Conference on Distributed Frameworks for Multimedia Applications.

[12]  Hervé Debar,et al.  Intrusion Detection Exchange Format Data Model , 2000 .

[13]  Susan M. Bridges,et al.  A FRAMEWORK FOR AN ADAPTIVE INTRUSION DETECTION SYSTEM WITH DATA MINING , 2001 .

[14]  Hideki Imai,et al.  IDS False Alarm Reduction Using Continuous and Discontinuous Patterns , 2005, ACNS.

[15]  Mahmoud Jazzar,et al.  Using Fuzzy Cognitive Maps to Reduce False Alerts in SOM-Based Intrusion Detection Sensors , 2008, 2008 Second Asia International Conference on Modelling & Simulation (AMS).