Classification of intrusion detection alerts using abstaining classifiers

Authors:
Tadeusz Pietraszek
Affiliations:
IBM Zurich Research Laboratory, Säumerstrasse 4, 8803 Rüschlikon, Switzerland. E-mail: tadek@pietraszek.org
Venue:
Intelligent Data Analysis
Year:
2007

Citing 26
Cited 2

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Robust classification systems for imprecise environments

AAAI '98/IAAI '98 Proceedings of the fifteenth national/tenth conference on Artificial intelligence/Innovative applications of artificial intelligence
MetaCost: a general method for making classifiers cost-sensitive

KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Explicitly representing expected cost: an alternative to ROC representation

Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining
A data mining analysis of RTID alarms

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Inductive Logic Programming: Techniques and Applications

Inductive Logic Programming: Techniques and Applications
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
Toward cost-sensitive modeling for intrusion detection and response

Journal of Computer Security
Inducing Cost-Sensitive Trees via Instance Weighting

PKDD '98 Proceedings of the Second European Symposium on Principles of Data Mining and Knowledge Discovery
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Incremental Learning with Partial Instance Memory

ISMIS '02 Proceedings of the 13th International Symposium on Foundations of Intelligent Systems
Measuring False-Positive by Automated Real-Time Correlated Hacking Behavior Analysis

ISC '01 Proceedings of the 4th International Conference on Information Security
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)

A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)
Cost-sensitive, scalable and adaptive learning using ensemble-based methods

Cost-sensitive, scalable and adaptive learning using ensemble-based methods
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Optimizing abstaining classifiers using ROC analysis

ICML '05 Proceedings of the 22nd international conference on Machine learning
Multi-Stage Classification

ICDM '05 Proceedings of the Fifth IEEE International Conference on Data Mining
On the use of ROC analysis for the optimization of abstaining classifiers

Machine Learning
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

On the use of ROC analysis for the optimization of abstaining classifiers

Machine Learning
The ROC isometrics approach to construct reliable classifiers

Intelligent Data Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion Detection Systems have been observed to trigger an abundance of false positives, that is alerts not reporting security problems. Assuming that in real installations most of the alerts are reviewed by human security analysts in a timely manner, it is possible to use supervised machine learning techniques for automated alert classification to classify alerts into true and false positives. This paper explores the requirements for such an alert classification system and shows that, being a difficult and challenging machine learning problem, it is particularly suited for the application of abstaining classifiers, i.e., classifiers that can refrain from classification in some cases. We show that by applying our method for finding optimal, abstaining classifiers based on the ROC analysis, one can significantly reduce the rates of false positives and the false negatives as well as overall misclassification cost, making this method particularly viable for this application domain. Finally, we validate our method on one real-world proprietary dataset and one synthetic, publicly available dataset.