Using Contextual Information for IDS Alarm Classification (Extended Abstract)

Authors:
François Gagnon;Frédéric Massicotte;Babak Esfandiari
Affiliations:
Carleton University, Canada;Communications Research Centre, Canada;Carleton University, Canada
Venue:
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2009

Citing 4
Cited 4

Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Automatic Evaluation of Intrusion Detection Systems

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference

Using Answer Set Programming to Enhance Operating System Discovery

LPNMR '09 Proceedings of the 10th International Conference on Logic Programming and Nonmonotonic Reasoning
Blueprints of a lightweight automated experimentation system: a building block towards experimental cyber security

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
A hybrid approach to operating system discovery based on diagnosis

International Journal of Network Management
Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Signature-based intrusion detection systems are known to generate many noncritical alarms (alarms not related to a successful attack). Adding contextual information to IDSes is a promising avenue to identify noncritical alarms. Several approaches using contextual information have been suggested. However, it is not clear what are the benefits of using a specific approach. This paper establishes the effectiveness of using target configuration (i.e. operating system and applications) as contextual information for identifying noncritical alarms. Moreover, it demonstrates that current tools for OS discovery are not adequate for IDS context gathering.