An intelligent detection and response strategy to false positives and network attacks

Current intrusion detection systems (IDSs) monitor attacks in network infrastructures by triggering alerts on potential security violations. However, most of these generate very high volumes of false positives, making the task of manually analyzing these alerts extremely difficult and inefficient. In this paper, we explain in detail why false positives occur giving real examples, and propose a novel approach for their reduction through intelligent network quarantine channels (NQCs) technique. This examines the packets by sending intelligent responses to suspect hosts for further information. Subsequently, the NQC sends feedbacks to the IDS to modify the alerts and enhance its capability to detect threats and benign attacks. We propose multiple feedback methods, including messages and adaptive rules in alert filters and policies to the IDS monitor, network sensors and database. We describe in detail, a prototype implementation of the intelligent detection and response strategy to benign and attack packets