Abstract
In this work, we propose a methodology for reducing false alarms in file system intrusion detection systems, by taking into account the daemon’s file system footprint. More specifically, we experimentally show that sequences of outliers can serve as a distinguishing characteristic between true and false positives, and we show how analysing sequences of outliers can lead to lower false positive rates, while maintaining high detection rates. Based on this analysis, we developed an anomaly detection filter that learns outlier sequences using k-nearest neighbours with normalised longest common subsequence. Outlier sequences are then used as a filter to reduce false positives on the \(FI^2DS\) file system intrusion detection system. This filter is evaluated on both overlapping and non-overlapping sequences of outliers. In both cases, experiments performed on three real-world web servers and a honeynet show that our approach achieves significant false positive reduction rates (up to 50 times), without any degradation of the corresponding true positive detection rates.
Similar content being viewed by others
References
Budalakoti S, Srivastava AN, Otey ME (2009) Anomaly detection and diagnosis algorithms for discrete symbol sequences with applications to airline safety. IEEE Trans Syst Man Cybern Part C Appl Rev 39(1):101–113
Chandola V (2009) Anomaly detection for symbolic sequences and time series data. PhD thesis, University of Minnesota
Chandola V, Banerjee A, Kumar V (2012) Anomaly detection for discrete sequences: a survey. IEEE Trans Knowl Data Eng 24(5):823–839
Chen W, Hsu S, Shen H (2005) Application of SVM and ANN for intrusion detection. Comput Oper Res 32(10):2617–2634
Corchado E, Herrero Á (2011) Neural visualization of network traffic data for intrusion detection. Appl Soft Comput 11(2):2042–2056
Denning D (1987) An intrusion–detection model. IEEE Trans Softw Eng 2:222–232
Forrest S, Hofmeyr S, Somayaji A, Longstaff T (1996) A sense of self for unix processes. In: 1996 IEEE symposium on security and privacy, 1996. Proceedings. IEEE, pp 120–128
Forrest S, Perelson A, Allen L, Cherukuri R (1994) Self-nonself discrimination in a computer. In: 1994 IEEE computer society symposium on research in security and privacy, 1994. Proceedings. IEEE, pp 202–212
Gogoi P, Borah B, Bhattacharyya DK (2010) Anomaly detection analysis of intrusion data using supervised and unsupervised approach. J Converg Inf Technol 5(1):95–110
Hoang XD, Hu J, Bertok P (2009) A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. J Netw Comput Appl 32(6):1219–1228
Hochberg J, Jackson K, Stallings C, McClary J, DuBois D, Ford J (1993) Nadir: an automated system for detecting network intrusion and misuse. Comput Secur 12(3):235–248
Hofmeyr S, Forrest S, Somayaji A (1998) Intrusion detection using sequences of system calls. J Comput Secur 6(3):151–180
Horng SJ, Su MY, Chen YH, Kao TW, Chen RJ, Lai JL, Perkasa CD (2011) A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert Syst Appl 38(1):306–313
Jamali S, Jafarzadeh P (2015) An intelligent intrusion detection system by using hierarchically structured learning automata. Neural Comput Appl. https://doi.org/10.1007/s00521-015-2116-4
Kang I, Jeong M, Kong D (2012) A differentiated one-class classification method with applications to intrusion detection. Expert Syst Appl 39(4):3899–3905
Kou G, Peng Y, Chen Z, Shi Y (2009) Multiple criteria mathematical programming for multi-class classification and application in network intrusion detection. Inf Sci 179(4):371–381
Krawczyk B, Minku LL, Gama J, Stefanowski J, Woniak M (2017) Ensemble learning for data stream analysis: a survey. Inf Fusion 37:132–156. https://doi.org/10.1016/j.inffus.2017.02.004
Kudłacik P, Porwik P, Wesołowski T (2016) Fuzzy approach for intrusion detection based on users commands. Soft Comput 20(7):2705–2719
Kumar N, Lolla VN, Keogh EJ, Lonardi S, Ratanamahatana CA (2005) Time-series bitmaps: a practical visualization tool for working with large time series databases. In: SDM. SIAM, pp 531–535
Kumar S, Spafford E (1994) A pattern matching model for misuse intrusion detection
Lee W, Stolfo S, Chan P, Eskin E, Fan W, Miller M, Hershkop S, Zhang J (2001) Real time data mining-based intrusion detection. In: DARPA information survivability conference and exposition II, 2001. DISCEX’01. Proceedings, vol 1. IEEE, pp 89–100
Leslie CS, Eskin E, Noble WS (2002) The spectrum kernel: a string kernel for SVM protein classification. In: Pacific symposium on biocomputing, vol 7, pp 566–575
Liao Y, Vemuri V (2002) Use of k-nearest neighbor classifier for intrusion detection. Comput Secur 21(5):439–448
Lindqvist U, Porras P (2001) Expert-BSM: a host-based intrusion detection solution for Sun Solaris. In: Computer security applications conference, 2001. ACSAC 2001. Proceedings 17th annual. IEEE, pp 240–251
Lippmann R, Fried D, Graf I, Haines J, Kendall K, McClung D, Weber D, Webster S, Wyschogrod D, Cunningham R et al (2000) Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: DARPA information survivability conference and exposition, 2000. DISCEX’00. Proceedings, vol 2. IEEE, pp 12–26
Lippmann R, Haines J, Fried D, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Comput Netw 34(4):579–595
Mamalakis G, Diou C, Symeonidis A, Georgiadis L (2014) Of daemons and men: a file system approach towards intrusion detection. Appl Soft Comput 25:1–14
Mamalakis G, Diou C, Symeonidis AL (2015) Analysing behaviours for intrusion detection. In: 2015 IEEE international conference on communication workshop (ICCW). IEEE, pp 2645–2651
McLachlan G, Basford K (1988) Mixture models: inference and applications to clustering. Marcel Dekker, New York
Medina-Pérez MA, Monroy R, Camiña JB, García-Borroto M (2017) Bagging-TPMiner: a classifier ensemble for masquerader detection based on typical objects. Soft Comput 21(3):557–569
Mutz D, Valeur F, Vigna G, Kruegel C (2006) Anomalous system call detection. ACM Trans Inf Syst Secur (TISSEC) 9(1):61–93
Pang-Ning T, Steinbach M, Kumar V et al (2006) Introduction to data mining. Addison Wesley, Boston
Peisert S, Bishop M, Karin S, Marzullo K (2007) Analysis of computer intrusions using sequences of function calls. IEEE Trans Dependable Secure Comput 4(2):137–150
Pietraszek T (2004) Using adaptive alert classification to reduce false positives in intrusion detection. In: Recent advances in intrusion detection. Springer, pp 102–124
Porras P, Neumann P (1997) Emerald: event monitoring enabling response to anomalous live disturbances. In: Proceedings of the 20th national information systems security conference, pp 353–365
Ramaswamy S, Rastogi R, Shim K (2000) Efficient algorithms for mining outliers from large data sets. In: ACM SIGMOD record, vol 29. ACM, pp 427–438
Roesch M et al (1999) Snort: lightweight intrusion detection for networks. LISA 99:229–238
Spathoulas G, Katsikas S (2010) Reducing false positives in intrusion detection systems. Comput Secur 29(1):35–44
Stolfo S, Hershkop S, Bui L, Ferster R, Wang K (2005) Anomaly detection in computer security and an application to file system accesses. In: Foundations of intelligent systems, pp 14–28
Stolfo SJ, Apap F, Eskin E, Heller K, Hershkop S, Honig A, Svore K (2005) A comparative evaluation of two algorithms for windows registry anomaly detection. J Comput Secur 13(4):659–693
Tsai CF, Lin CY (2010) A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognit 43(1):222–229
Wagner D, Soto P (2002) Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 255–264
Wang W, Guan X, Zhang X, Yang L (2006) Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput Secur 25(7):539–550
Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE symposium on security and privacy, 1999. IEEE, pp 133–145
Xu J, Shelton C (2010) Intrusion detection using continuous time Bayesian networks. J Artif Intell Res 39(1):745–774
Yeung D, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognit 36(1):229–243
Zhang Z, Shen H (2005) Application of online-training SVMs for real-time intrusion detection with different considerations. Comput Commun 28(12):1428–1442
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Rights and permissions
About this article
Cite this article
Mamalakis, G., Diou, C., Symeonidis, A.L. et al. Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysis. Neural Comput & Applic 31, 7755–7767 (2019). https://doi.org/10.1007/s00521-018-3550-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00521-018-3550-x