False Alarm Reduction by Weighted Score-Based Rule Adaptation through Expert Feedback

An adaptation mechanism is quite important for false alarm reduction in Intrusion Detection System (IDS) for solving the problem of environment change and wrongly trigger from irrelevant signatures. In this study, we proposed a Weighted Score-based Rule Adaptation (WSRA) mechanism from expert’s feedback in order to reduce the massive false alarm produced by IDS. The rule set is generated by rule learner (e.g.: RIPPER) to identify the false alert in addition to a score which represents its availability. The weighted score-based rule adaptation adjusts the score according to the incoming labeled information from expert. Besides, we also propose the concept level features to the false alarm reduction issues for easily retrieving the feedback from experts. We propose WSRA, which makes following contributions: (a) it automatically adapts with the network environment changes to identify false alarms, (b) it proposes a new weighted score-based rule adaptation mechanism, (c) it is easier to demonstrate the rules for retrieving experts feedback benefits from concept level features. The evaluations from one benchmark dataset (DARPA 99) support our approach. The proposed mechanism performs well in false alarm reduction than that other down by mechanism without adaptation consideration.

[1]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[2]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[3]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[4]  Marcus A. Maloof,et al.  Dynamic weighted majority: a new ensemble method for tracking concept drift , 2003, Third IEEE International Conference on Data Mining.

[5]  Peng Ning,et al.  Correlating Alerts Using Prerequisites of Intrusions , 2001 .

[6]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[7]  John McHugh,et al.  The 1998 Lincoln Laboratory IDS Evaluation , 2000, Recent Advances in Intrusion Detection.

[8]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[9]  Ulrich Güntzer,et al.  Algorithms for association rule mining — a general survey and comparison , 2000, SKDD.

[10]  Carlo Zaniolo,et al.  Fast and Light Boosting for Adaptive Mining of Data Streams , 2004, PAKDD.

[11]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[12]  Johannes Fürnkranz,et al.  Incremental Reduced Error Pruning , 1994, ICML.

[13]  Philip K. Chan,et al.  Weighting versus pruning in rule validation for detecting network and host anomalies , 2007, KDD '07.

[14]  Salvatore J. Stolfo,et al.  Adaptive Intrusion Detection: A Data Mining Approach , 2000, Artificial Intelligence Review.

[15]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[16]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[17]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[18]  Sebastiaan Tesink,et al.  Improving Intrusion Detection Systems through Machine Learning , 2007 .

[19]  Philip S. Yu,et al.  Mining concept-drifting data streams using ensemble classifiers , 2003, KDD '03.

[20]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.