ATLANTIDES: an architecture for alert verification in network intrusion detection systems

Authors:
Damiano Bolzoni;Bruno Crispo;Sandro Etalle
Affiliations:
University of Twente, The Netherlands;Vrije Universiteit, The Netherlands & University of Trento, Italy;University of Twente, The Netherlands
Venue:
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Year:
2007

Citing 27
Cited 6

Towards a taxonomy of intrusion-detection systems

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on computer network security
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Intrusion detection

Intrusion detection
The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
A data mining analysis of RTID alarms

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise

Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise
Defending Against the Wily Surfer-Web-based Attacks and Defenses

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Mining Alarm Clusters to Improve Alarm Handling Efficiency

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Correlating Alerts Using Prerequisites of Intrusions

Correlating Alerts Using Prerequisites of Intrusions
An Intrusion Alert Correlator Based on Prerequisites of Intrusions

An Intrusion Alert Correlator Based on Prerequisites of Intrusions
Learning attack strategies from intrusion alerts

Proceedings of the 10th ACM conference on Computer and communications security
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
Worm Detection, Early Warning and Response Based on Local Victim Information

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
A multi-model approach to the detection of web-based attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System

IWIA '06 Proceedings of the Fourth IEEE International Workshop on Information Assurance
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

IEEE Security and Privacy
Analyzing intensive intrusion alerts via correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Anomalous payload-based worm detection and signature generation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Boosting Web Intrusion Detection Systems by Inferring Positive Signatures

OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Network specific false alarm reduction in intrusion detection system

Security and Communication Networks
Divided two-part adaptive intrusion detection system

Wireless Networks
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal
Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.