Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2004: Recent Advances in Intrusion Detection pp 102–124Cite as

Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Abstract

Intrusion Detection Systems (IDSs) are used to monitor computer systems for signs of security violations. Having detected such signs, IDSs trigger alerts to report them. These alerts are presented to a human analyst, who evaluates them and initiates an adequate response.

In practice, IDSs have been observed to trigger thousands of alerts per day, most of which are false positives (i.e. alerts mistakenly triggered by benign events). This makes it extremely difficult for the analyst to correctly identify the true positives (i.e. alerts related to attacks).

In this paper we describe ALAC, the Adaptive Learner for Alert Classification, which is a novel system for reducing false positives in intrusion detection. The system supports the human analyst by classifying alerts into true positives and false positives. The knowledge of how to classify alerts is learned adaptively by observing the analyst. Moreover, ALAC can be configured to process autonomously alerts that have been classified with high confidence. For example, ALAC may discard alerts that were classified with high confidence as false positive. That way, ALAC effectively reduces the analyst’s workload.

We describe a prototype implementation of ALAC and the choice of a suitable machine learning technique. Moreover, we experimentally validate ALAC and show how it facilitates the analyst’s work.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co. (1980)

    Google Scholar 

  2. Axelsson, S.: The base-rate fallacy and its implications for the intrusion detection. In: Proceedings of the 6th ACM conference on Computer and Communications Security, Kent Ridge Digital Labs, Singapore, pp. 1–7 (1999)

    Google Scholar 

  3. Bloedorn, E., Hill, B., Christiansen, A., Skorupka, C., Talbot, L., Tivel, J.: Data Mining for Improving Intrusion Detection. Technical report, MITRE (2000)

    Google Scholar 

  4. Cohen, W.W.: Fast effective rule induction. In: Prieditis, A., Russell, S. (eds.) Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, pp. 115–123. Morgan Kaufmann, San Francisco (1995)

    Google Scholar 

  5. Cuppens, F.: Managing alerts in multi-intrusion detection environment. In: Proceedings 17th Annual Computer Security Applications Conference, New Orleans, pp. 22–31 (2001)

    Google Scholar 

  6. Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proc. of the 2001 ACM Workshop on Data Mining for Security Application, Philadelphia, PA, pp. 1–13 (2001)

    Google Scholar 

  7. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering SE-13, 222–232 (1987)

    Article  Google Scholar 

  9. Domingos, P.: Metacost: A General Method for Making Classifiers Cost-Sensitive. In: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, California, pp. 155–164 (1999)

    Google Scholar 

  10. Fan, W.: Cost-Sensitive, Scalable and Adaptive Learning Using Ensemble-based Methods. PhD thesis, Columbia University (2001)

    Google Scholar 

  11. Fawcett, T.: ROC graphs: Note and practical considerations for researchers (HPL- 2003-4). Technical report, HP Laboratories (2003)

    Google Scholar 

  12. Giraud-Carrier, C.: A Note on the Utility of Incremental Learning. AI Communications 13, 215–223 (2000)

    MATH  Google Scholar 

  13. Hettich, S., Bay, S.D.: The UCI KDD Archive. Web page at http://kdd.ics.uci.edu (1999)

  14. Jacobson, V., Leres, C., McCanne, S.: TCPDUMP public repository. Web page at http://www.tcpdump.org/ (2003)

  15. Julisch, K.: Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD thesis, University of Dortmund (2003)

    Google Scholar 

  16. Lavrač, N., Džeroski, S.: Inductive Logic Programming: Techniques and Applications. Ellis Horwood (1994)

    Google Scholar 

  17. Lee, W.: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University (1999)

    Google Scholar 

  18. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10, 5–22 (2002)

    Google Scholar 

  19. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 579–595 (2000)

    Google Scholar 

  20. Lippmann, R., Webster, S., Stetson, D.: The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 307–326. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  21. Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  22. Maloof, M.A., Michalski, R.S.: Incremental learning with partial instance memory. In: Hacid, M.-S., Raś, Z.W., Zighed, D.A., Kodratoff, Y. (eds.) ISMIS 2002. LNCS (LNAI), vol. 2366, pp. 16–27. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  23. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 571–577 (2000)

    Google Scholar 

  24. María, J., Hidalgo, G.: Evaluating cost-sensitive unsolicited bulk email categorization. In: Proceedings of the 2002 ACM Symposium on Applied Computing, pp. 615–620. Springer, Heidelberg (2002)

    Google Scholar 

  25. McHugh, J.: The 1998 Lincoln Laboratory IDS Evaluation. A critique. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 145–161. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  26. Michalski, R.: On the quasi-minimal solution of the general covering problem. In: Proceedings of the V International Symposium on Information Processing (FCIP 1969) (Switching Circuits), Yugoslavia, Bled, vol. A3, pp. 125–128 (1969)

    Google Scholar 

  27. Mitchel, T.M.: Machine Learning. Mc Graw Hill (1997)

    Google Scholar 

  28. Morin, B., Mé, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  29. Provost, F., Fawcett, T.: Robust classification for impresice environments. Machine Learning Journal 42, 203–231 (2001)

    Article  MATH  Google Scholar 

  30. Quinlan, R.: C4.5: Programs for Machine Learning. Morgan Kaufman, San Francisco (1993)

    Google Scholar 

  31. Roesch, M.: SNORT. The Open Source Network Intrusion System. Web page at http://www.snort.org (1998–2003)

  32. Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proceedings of the 10th ACM conference on Computer and Communication Security, Washington, DC, pp. 262–271 (2003)

    Google Scholar 

  33. Ting, K.: Inducing cost-sensitive trees via instance weighting. In: Żytkow, J.M. (ed.) PKDD 1998. LNCS (LNAI), vol. 1510, pp. 139–147. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  34. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  35. Wang, J., Lee, I.: Measuring false-positive by automated real-time correlated hacking behavior analysis. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, p. 512. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  36. Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools with Java implementations. Morgan Kaufmann, San Francisco (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstrasse 4, CH-8803, Rüschlikon, Switzerland

    Tadeusz Pietraszek

Authors
  1. Tadeusz Pietraszek
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pietraszek, T. (2004). Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation