Abstract
Signature-based intrusion detection systems are known to generate many noncritical alarms (alarms not related to a successful attack). Adding contextual information to IDSes is a promising avenue to identify noncritical alarms. Several approaches using contextual information have been suggested. However, it is not clear what are the benefits of using a specific approach. This paper establishes the effectiveness of using target configuration (i.e. operating system and applications) as contextual information for identifying noncritical alarms. Moreover, it demonstrates that current tools for OS discovery are not adequate for IDS context gathering.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gagnon, F., Esfandiari, B., Bertossi, L.: A Hybrid Approach to Operating System Discovery Using Answer Set Programming. In: Proceedings of the 10th IFIP/IEEE Symposium on Integrated Management (IM 2007), pp. 391–400 (2007)
Gagnon, F., Massicotte, F., Esfandiari, B.: On the Effectiveness of Target Configuration as Contextual Information for IDS Alarm Classification. Technical Report SCE-08-08, Department of Systems and Computer Engineering - Carleton University (2008), http://www.sce.carleton.ca/~fgagnon/Publications/context.pdf
Dayioglu, B., Ozgit, A.: Use of Passive Network Mapping to Enhance Signature Quality of Misuse Network Intrusion Detection Systems. In: Proceedings of the 16th International Symposium on Computer and Information Science, ISCIS 2001 (2001)
Ettercap, http://ettercap.sourceforge.net
Kruegel, C., Robertson, W.: Alert Verification: Determining the Success of Intrusion Attempts. In: Proceedings of the 1st Workshop on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2004 (2004)
Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunnigham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX 2000), vol. 2, pp. 12–26 (2000)
Massicotte, F., Gagnon, F., Couture, M., Labiche, Y., Briand, L.: Automatic Evaluation of Intrusion Detection Systems. In: Proceedings of the 2006 Annual Computer Security Applications Conference (ACSAC 2006) (2006)
McHugh, J.: Testing Intrusion Detection Systems: A critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluation as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)
Patton, S., Yurcik, W., Doss, D.: An Achilles’ Heel in Signature-Based IDS: Squealing False Positives in SNORT. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)
Security Focus, http://www.securityfocus.org/
Singhal, A.: Modern Information Retrieval: A Brief Overview. Bulletin of the IEEE Computer Society Technical Committee on Data Engineering 24(4), 35–43 (2001)
Siphon, http://siphon.datanerds.net/
Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 262–271 (2003)
Wine, http://www.winehq.org
Xprobe, http://xprobe.sourceforge.net
Zhou, J., Carlson, A., Bishop, M.: Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2005 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gagnon, F., Massicotte, F., Esfandiari, B. (2009). Using Contextual Information for IDS Alarm Classification (Extended Abstract). In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-02918-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02917-2
Online ISBN: 978-3-642-02918-9
eBook Packages: Computer ScienceComputer Science (R0)