An Intellilgent Infrastructure Strategy to Improving the Performance and Detection Capability of Intrusion Detection Systems

Network and host Intrusion Detection Systems (IDS) are used to identify suspicious network traffic. However, a high percentage of alerts generated by such systems are liable to be false positives. False positives create considerable administrative overheads, since these alerts typically require manual intervention from a network administrator In order to reduce the number of false positives, we propose a novel infrastructure approach involving what we call network quarantine channels. The network quarantine channels and associated techniques are used to perform further interaction with hosts that have been identified as the source of suspicious traffic. The network quarantine channels are used to provide a more accurate assessment of the potential attacks sent by suspicious hosts, before sending the final status of the alerts to the IDS monitor for the network administrator´s response.