IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Robust classification systems for imprecise environments
AAAI '98/IAAI '98 Proceedings of the fifteenth national/tenth conference on Artificial intelligence/Innovative applications of artificial intelligence
MetaCost: a general method for making classifiers cost-sensitive
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Explicitly representing expected cost: an alternative to ROC representation
Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining
A data mining analysis of RTID alarms
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Inductive Logic Programming: Techniques and Applications
Inductive Logic Programming: Techniques and Applications
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
Toward cost-sensitive modeling for intrusion detection and response
Journal of Computer Security
Inducing Cost-Sensitive Trees via Instance Weighting
PKDD '98 Proceedings of the Second European Symposium on Principles of Data Mining and Knowledge Discovery
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Incremental Learning with Partial Instance Memory
ISMIS '02 Proceedings of the 13th International Symposium on Foundations of Intelligent Systems
Measuring False-Positive by Automated Real-Time Correlated Hacking Behavior Analysis
ISC '01 Proceedings of the 4th International Conference on Information Security
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)
Cost-sensitive, scalable and adaptive learning using ensemble-based methods
Cost-sensitive, scalable and adaptive learning using ensemble-based methods
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Optimizing abstaining classifiers using ROC analysis
ICML '05 Proceedings of the 22nd international conference on Machine learning
ICDM '05 Proceedings of the Fifth IEEE International Conference on Data Mining
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
The ROC isometrics approach to construct reliable classifiers
Intelligent Data Analysis
Hi-index | 0.00 |
Intrusion Detection Systems have been observed to trigger an abundance of false positives, that is alerts not reporting security problems. Assuming that in real installations most of the alerts are reviewed by human security analysts in a timely manner, it is possible to use supervised machine learning techniques for automated alert classification to classify alerts into true and false positives. This paper explores the requirements for such an alert classification system and shows that, being a difficult and challenging machine learning problem, it is particularly suited for the application of abstaining classifiers, i.e., classifiers that can refrain from classification in some cases. We show that by applying our method for finding optimal, abstaining classifiers based on the ROC analysis, one can significantly reduce the rates of false positives and the false negatives as well as overall misclassification cost, making this method particularly viable for this application domain. Finally, we validate our method on one real-world proprietary dataset and one synthetic, publicly available dataset.