An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot

When traditional firewall and intrusion detection systems (IDS) are used to detect possible attacks from the network, they often make wrong decisions and block the legitimate connections. In this paper we propose a new architecture which is composed of distributed agents and honeypot. The main focus of our approach lies in reducing the false alarm rate of the attack detection. Using the honeypot scheme, this system is able to avoid many wrong decisions made by IDS. In this system alarming adversaries, initially detected by the IDS, will be rerouted to a honeypot network for a more close investigation. If as a result of this investigation, it is found that the alarm decision made by the IDS of the agent is wrong, the connection will be guided to the original destination in order to continue the previous interaction. This action is hidden to the user. Such a scheme significantly decreases the alarm rate and provides a higher performance of IDS. In this paper the architecture of the proposed system is described, a theoretical analysis of its behavior is given and its possible extension and implementation are explained.