Using attack information to reduce false positives in network IDS

Makoto Shimamura, Kenji Kono

研究成果: Conference contribution

8 被引用数 (Scopus)

抄録

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDSfails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.

本文言語English
ホスト出版物のタイトルProceedings - 11th IEEE Symposium on Computers and Communications, ISCC 2006
出版社Institute of Electrical and Electronics Engineers Inc.
ページ386-393
ページ数8
ISBN(印刷版)0769525881, 9780769525884
DOI
出版ステータスPublished - 2006
イベント11th IEEE Symposium on Computers and Communications, ISCC 2006 - Cagliari, Sardinia, Italy
継続期間: 2006 6月 262006 6月 29

出版物シリーズ

名前Proceedings - IEEE Symposium on Computers and Communications
ISSN(印刷版)1530-1346

Other

Other11th IEEE Symposium on Computers and Communications, ISCC 2006
国/地域Italy
CityCagliari, Sardinia
Period06/6/2606/6/29

ASJC Scopus subject areas

  • ソフトウェア
  • 信号処理
  • 数学 (全般)
  • コンピュータ サイエンスの応用
  • コンピュータ ネットワークおよび通信

フィンガープリント

「Using attack information to reduce false positives in network IDS」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル