IDS false alarm reduction using continuous and discontinuous patterns

Authors:
Abdulrahman Alharby;Hideki Imai
Affiliations:
Institute of industrial Science, The university of Tokyo, Tokyo, Japan;Institute of industrial Science, The university of Tokyo, Tokyo, Japan
Venue:
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Year:
2005

Citing 13
Cited 6

Packets found on an internet

ACM SIGCOMM Computer Communication Review
State Transition Analysis: A Rule-Based Intrusion Detection Approach

IEEE Transactions on Software Engineering
Mining frequent patterns without candidate generation

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
A data mining analysis of RTID alarms

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
Mining hybrid sequential patterns and sequential rules

Information Systems
Efficient Data Mining for Path Traversal Patterns

IEEE Transactions on Knowledge and Data Engineering
Mining Sequential Patterns

ICDE '95 Proceedings of the Eleventh International Conference on Data Engineering
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining Alarm Clusters to Improve Alarm Handling Efficiency

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy

The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset

TrustBus '08 Proceedings of the 5th international conference on Trust, Privacy and Security in Digital Business
A decision support system for constructing an alert classification model

Expert Systems with Applications: An International Journal
Semi-supervised learning for false alarm reduction

ICDM'10 Proceedings of the 10th industrial conference on Advances in data mining: applications and theoretical aspects
A comprehensive vulnerability based alert management approach for large networks

Future Generation Computer Systems
Intrusion detection using disagreement-based semi-supervised learning: detection enhancement and false alarm reduction

CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
Intelligent alarm filter using knowledge-based alert verification in network intrusion detection

ISMIS'12 Proceedings of the 20th international conference on Foundations of Intelligent Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion Detection Systems (IDSs) are widely deployed in computer networks to stand against a wide variety of attacks. IDSs deployment raises a serious problem, namely managing of a large number of triggered alerts. This problem becomes worse by the fact that some commercial IDSs may generate thousands of alerts per day. Identifying the real alarms from the huge volume of alarms is a frustrating task for security officers. Thus, reducing false alarms is a critical issue in IDSs efficiency and usability. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, an approach is proposed for characterizing the “normal” stream of alarms. In addition, an algorithm for detecting anomalies by using continuous and discontinuous sequential patterns is developed, and used in preliminary experiments with real-world data to show that the presented model can handle IDSs alarms efficiently.