Filtering false positives based on server-side behaviors

Makoto Shimamura, Miyuki Hanaoka, Kenji Kono

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrator's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.

Original languageEnglish
Pages (from-to)264-276
Number of pages13
JournalIEICE Transactions on Information and Systems
VolumeE91-D
Issue number2
DOIs
Publication statusPublished - 2008 Feb

Fingerprint

Intrusion detection
Servers
Computer monitors

Keywords

  • Internet security
  • Network attack detection
  • Network intrusion detection
  • Reducing false positives

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Software
  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition

Cite this

Filtering false positives based on server-side behaviors. / Shimamura, Makoto; Hanaoka, Miyuki; Kono, Kenji.

In: IEICE Transactions on Information and Systems, Vol. E91-D, No. 2, 02.2008, p. 264-276.

Research output: Contribution to journalArticle

Shimamura, Makoto ; Hanaoka, Miyuki ; Kono, Kenji. / Filtering false positives based on server-side behaviors. In: IEICE Transactions on Information and Systems. 2008 ; Vol. E91-D, No. 2. pp. 264-276.
@article{63e9ac55019e48518298edec33b8ee4f,
title = "Filtering false positives based on server-side behaviors",
abstract = "Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrator's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.",
keywords = "Internet security, Network attack detection, Network intrusion detection, Reducing false positives",
author = "Makoto Shimamura and Miyuki Hanaoka and Kenji Kono",
year = "2008",
month = "2",
doi = "10.1093/ietisy/e91-d.2.264",
language = "English",
volume = "E91-D",
pages = "264--276",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "2",

}

TY - JOUR

T1 - Filtering false positives based on server-side behaviors

AU - Shimamura, Makoto

AU - Hanaoka, Miyuki

AU - Kono, Kenji

PY - 2008/2

Y1 - 2008/2

N2 - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrator's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.

AB - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrator's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.

KW - Internet security

KW - Network attack detection

KW - Network intrusion detection

KW - Reducing false positives

UR - http://www.scopus.com/inward/record.url?scp=68149180512&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=68149180512&partnerID=8YFLogxK

U2 - 10.1093/ietisy/e91-d.2.264

DO - 10.1093/ietisy/e91-d.2.264

M3 - Article

AN - SCOPUS:68149180512

VL - E91-D

SP - 264

EP - 276

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 2

ER -