Using attack information to reduce false positives in network IDS

Makoto Shimamura, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Citations (Scopus)

Abstract

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.

Original languageEnglish
Title of host publicationProceedings - International Symposium on Computers and Communications
Pages386-393
Number of pages8
DOIs
Publication statusPublished - 2006
Event11th IEEE Symposium on Computers and Communications, ISCC 2006 - Cagliari, Sardinia, Italy
Duration: 2006 Jun 262006 Jun 29

Other

Other11th IEEE Symposium on Computers and Communications, ISCC 2006
CountryItaly
CityCagliari, Sardinia
Period06/6/2606/6/29

Fingerprint

Intrusion detection
Servers
Computer monitors

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Shimamura, M., & Kono, K. (2006). Using attack information to reduce false positives in network IDS. In Proceedings - International Symposium on Computers and Communications (pp. 386-393). [1691059] https://doi.org/10.1109/ISCC.2006.165

Using attack information to reduce false positives in network IDS. / Shimamura, Makoto; Kono, Kenji.

Proceedings - International Symposium on Computers and Communications. 2006. p. 386-393 1691059.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Shimamura, M & Kono, K 2006, Using attack information to reduce false positives in network IDS. in Proceedings - International Symposium on Computers and Communications., 1691059, pp. 386-393, 11th IEEE Symposium on Computers and Communications, ISCC 2006, Cagliari, Sardinia, Italy, 06/6/26. https://doi.org/10.1109/ISCC.2006.165
Shimamura M, Kono K. Using attack information to reduce false positives in network IDS. In Proceedings - International Symposium on Computers and Communications. 2006. p. 386-393. 1691059 https://doi.org/10.1109/ISCC.2006.165
Shimamura, Makoto ; Kono, Kenji. / Using attack information to reduce false positives in network IDS. Proceedings - International Symposium on Computers and Communications. 2006. pp. 386-393
@inproceedings{20fbdfb34fb641008aa1b61dac87b965,
title = "Using attack information to reduce false positives in network IDS",
abstract = "Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.",
author = "Makoto Shimamura and Kenji Kono",
year = "2006",
doi = "10.1109/ISCC.2006.165",
language = "English",
isbn = "0769525881",
pages = "386--393",
booktitle = "Proceedings - International Symposium on Computers and Communications",

}

TY - GEN

T1 - Using attack information to reduce false positives in network IDS

AU - Shimamura, Makoto

AU - Kono, Kenji

PY - 2006

Y1 - 2006

N2 - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.

AB - Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.

UR - http://www.scopus.com/inward/record.url?scp=34547243963&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34547243963&partnerID=8YFLogxK

U2 - 10.1109/ISCC.2006.165

DO - 10.1109/ISCC.2006.165

M3 - Conference contribution

SN - 0769525881

SN - 9780769525884

SP - 386

EP - 393

BT - Proceedings - International Symposium on Computers and Communications

ER -