DocumentCode :
2507549
Title :
Using Attack Information to Reduce False Positives in Network IDS
Author :
Shimamura, Makoto ; Kono, Kenji
Author_Institution :
Keio University, Japan
fYear :
2006
fDate :
26-29 June 2006
Firstpage :
386
Lastpage :
393
Abstract :
Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user’s environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server’s behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.
Keywords :
Computer science; Delay; Intelligent networks; Intrusion detection; Monitoring; Network servers; Pattern matching; Protection; Telecommunication traffic;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Computers and Communications, 2006. ISCC '06. Proceedings. 11th IEEE Symposium on
ISSN :
1530-1346
Print_ISBN :
0-7695-2588-1
Type :
conf
DOI :
10.1109/ISCC.2006.165
Filename :
1691059
Link To Document :
بازگشت