TY - GEN
T1 - Using attack information to reduce false positives in network IDS
AU - Shimamura, Makoto
AU - Kono, Kenji
PY - 2006
Y1 - 2006
N2 - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.
AB - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.
UR - http://www.scopus.com/inward/record.url?scp=34547243963&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34547243963&partnerID=8YFLogxK
U2 - 10.1109/ISCC.2006.165
DO - 10.1109/ISCC.2006.165
M3 - Conference contribution
AN - SCOPUS:34547243963
SN - 0769525881
SN - 9780769525884
T3 - Proceedings - IEEE Symposium on Computers and Communications
SP - 386
EP - 393
BT - Proceedings - 11th IEEE Symposium on Computers and Communications, ISCC 2006
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 11th IEEE Symposium on Computers and Communications, ISCC 2006
Y2 - 26 June 2006 through 29 June 2006
ER -