Mohamed Amine Agalit
ABSTRACT
Over the years, Intrusion detection systems IDSs have evolved to handle many types of threats. Nowadays, network security administrators expect IDSs to monitor networks and hosts and identify suspicious activities. IDSs must be configured to recognize abnormal behavior but may still generate thousands of alerts daily, distinguishing between the important alerts and the irrelevant ones (i.e., false positives) are more complicated for the security administrators. This weakness has led to the emergence of many methods in which to deal with these alerts. The aim of conducted research in this field is to propose different techniques to handle the alerts, to reduce them and distinguish real attacks from false positives and low importance events. This paper is a survey that represents a review of the current research related to the false positives problem.
- M. Ahmed, A. N. Mahmood, et J. Hu, ≪ A survey of network anomaly detection techniques ≫, Journal of Network and Computer Applications, vol. 60, p. 19--31, 2016.Google Scholar
Digital Library
- N. Moustafa et J. Slay, ≪ The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set ≫, Information Security Journal: A Global Perspective, vol. 25, no 1-3, p. 18--1, 2016.Google ScholarDigital Library
- M. H. Bhuyan, D. Bhattacharyya, et J. K. Kalita, ≪ An effective unsupervised network anomaly detection method ≫, présenté à Proceedings of the International Conference on Advances in Computing, Communications and Informatics, 2012, p. 533--539.Google Scholar
- A. Shameli-Sendi, M. Cheriet, et A. Hamou-Lhadj, ≪ Taxonomy of intrusion risk assessment and response system ≫, Computers & Security, vol. 45, p. 1--16, 2014.Google ScholarDigital Library
- K. A. Scarfone et P. M. Mell, ≪ Guide to Intrusion Detection and Prevention Systems (IDPS)| NIST ≫, 2007.Google Scholar
- H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, et K.-Y. Tung, ≪ Intrusion detection system: A comprehensive review ≫, Journal of Network and Computer Applications, vol. 36, no 1, p. 16--24, 2013.Google ScholarDigital Library
- N. B. Anuar, S. Furnell, M. Papadaki, et N. Clarke, ≪ A risk index model for security incident prioritisation ≫, 2011.Google Scholar
- N. B. Anuar, H. Sallehudin, A. Gani, et O. Zakaria, ≪ Identifying false alarm for network intrusion detection system using hybrid data mining and decision tree ≫, Malaysian journal of computer science, vol. 21, no 2, p. 101--115, 2008.Google Scholar
- H. Debar et A. Wespi, ≪ Aggregation and correlation of intrusion-detection alerts ≫, présenté à International Workshop on Recent Advances in Intrusion Detection, 2001, p. 85--103.Google Scholar
- K. Alsubhi, E. Al-Shaer, et R. Boutaba, ≪ Alert prioritization in intrusion detection systems ≫, présenté à NOMS 2008-2008 IEEE Network Operations and Management Symposium, 2008, p. 33--40.Google Scholar
- M. G. Dondo, ≪ A vulnerability prioritization system using a fuzzy risk analysis approach ≫, présenté à IFIP International Information Security Conference, 2008, p. 525--540.Google Scholar
- S. Lee, B. Chung, H. Kim, Y. Lee, C. Park, et H. Yoon, ≪ Real-time analysis of intrusion detection alerts via correlation ≫, Computers & Security, vol. 25, no 3, p. 169--183, 2006.Google ScholarDigital Library
- P. A. Porras, M. W. Fong, et A. Valdes, ≪ A mission-impact-based approach to INFOSEC alarm correlation ≫, présenté à International Workshop on Recent Advances in Intrusion Detection, 2002, p. 95--114.Google Scholar
- S. Wang, Z. Zhang, et Y. Kadobayashi, ≪ Exploring attack graph for cost-benefit security hardening: A probabilistic approach ≫, Computers & security, vol. 32, p. 158--169, 2013.Google Scholar
- Z. Zhang, P.-H. Ho, et L. He, ≪ Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach ≫, Computers & Security, vol. 28, no 7, p. 605--614, 2009.Google ScholarDigital Library
- S. Fenz et T. Neubauer, ≪ How to determine threat probabilities using ontologies and Bayesian networks ≫, présenté à Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, 2009, p. 69.Google Scholar
- C. Mu, X. Li, H. Huang, et S. Tian, ≪ Online risk assessment of intrusion scenarios using DS evidence theory ≫, présenté à European Symposium on Research in Computer Security, 2008, p. 35--48.Google Scholar
- C. Strasburg, N. Stakhanova, S. Basu, et J. S. Wong, ≪ Intrusion response cost assessment methodology ≫, présenté à Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, 2009, p. 388--391.Google Scholar
- N. Kheir, N. Cuppens-Boulahia, F. Cuppens, et H. Debar, ≪ A service dependency model for cost-sensitive intrusion response ≫, présenté à European Symposium on Research in Computer Security, 2010, p. 626--642.Google Scholar
- A. Ekelhart, S. Fenz, et T. Neubauer, ≪ Aurum: A framework for information security risk management ≫, présenté à 2009 42nd Hawaii International Conference on System Sciences, 2009, p. 1--10.Google Scholar
- N. L. Hausrath, ≪ Methods for Hospital Network and Computer Security ≫, 2011.Google Scholar
- S. Noel et S. Jajodia, ≪ Optimal ids sensor placement and alert prioritization using attack graphs ≫, Journal of Network and Systems Management, vol. 16, no 3, p. 259--275, 2008.Google ScholarDigital Library
- S. Xiao, Y. Zhang, X. Liu, et J. Gao, ≪ Alert fusion based on cluster and correlation analysis ≫, présenté à 2008 International Conference on Convergence and Hybrid Information Technology, 2008, p. 163--168.Google Scholar
- Y. Sun et R. Zhang, ≪ Automatic intrusion response system based on aggregation and cost ≫, présenté à 2008 International Conference on Information and Automation, 2008, p. 1783--1786.Google Scholar
- K. Haslum et A. Årnes, ≪ Multisensor real-time risk assessment using continuous-time hidden markov models ≫, présenté à International Conference on Computational and Information Science, 2006, p. 694--703.Google Scholar
- S. H. Houmb, V. N. Franqueira, et E. A. Engum, ≪ Quantifying security risk level from CVSS estimates of frequency and impact ≫, Journal of Systems and Software, vol. 83, no 9, p. 1622--1634, 2010.Google ScholarDigital Library
- E. M. Chakir, Y. I. Khamlichi, et M. Moughit, ≪ Handling alerts for intrusion detection system using stateful pattern matching ≫, présenté à 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), 2016, p. 139--144.Google Scholar
- D. Zhao et al., ≪ Botnet detection based on traffic behavior analysis and flow intervals ≫, Computers & Security, vol. 39, p. 2--16, 2013.Google ScholarDigital Library
- N. Dietrich, ≪ Snort 2.9. 9. x on Ubuntu 14 and 16 ≫, línea]. Available: https://www.snort.org/documents/snort-2-9-9-x-on-ubuntu-14-16.[Último acceso: 13 Junio 2018], 2017.Google Scholar
- S.-Y. Wu et E. Yen, ≪ Data mining-based intrusion detectors ≫, Expert Systems with Applications, vol. 36, no 3, p. 5605--5612, 2009.Google ScholarDigital Library
- C. Xiang, P. C. Yong, et L. S. Meng, ≪ Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees ≫, Pattern Recognition Letters, vol. 29, no 7, p. 918--924, 2008.Google ScholarDigital Library
- S. Lee, G. Kim, et S. Kim, ≪ Self-adaptive and dynamic clustering for online anomaly detection ≫, Expert Systems with Applications, vol. 38, no 12, p. 14891--14898, 2011.Google ScholarDigital Library
- T. Pietraszek, ≪ Using adaptive alert classification to reduce false positives in intrusion detection ≫, présenté à International Workshop on Recent Advances in Intrusion Detection, 2004, p. 102--124.Google Scholar
- T. Pietraszek et A. Tanner, ≪ Data mining and machine learning---towards reducing false positives in intrusion detection ≫, Information security technical report, vol. 10, no 3, p. 169--183, 2005.Google Scholar
- K. Julisch et M. Dacier, ≪ Mining intrusion detection alarms for actionable knowledge ≫, présenté à Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, 2002, p. 366--375.Google Scholar
- A. Hätälä, C. Särs, R. Addams-Moring, et T. Virtanen, ≪ Event data exchange and intrusion alert correlation in heterogeneous networks ≫, présenté à Proceedings of the 8th Colloquium for Information Systems Security Education (CISSE), Westpoint, NY, CISSE (June 2004 2004), 2004, p. 84--92.Google Scholar
- D. Gorton, ≪ Extending intrusion detection with alert correlation and intrusion tolerance ≫, 2003.Google Scholar
- C. Clifton et G. Gengo, ≪ Developing custom intrusion detection filters using data mining ≫, présenté à MILCOM 2000 Proceedings. 21st Century Military Communications. Architectures and Technologies for Information Superiority (Cat. No. 00CH37155), 2000, vol. 1, p. 440--443.Google Scholar
- A. Siraj et R. B. Vaughn, ≪ Multi-level alert clustering for intrusion detection sensor data ≫, présenté à NAFIPS 2005-2005 Annual Meeting of the North American Fuzzy Information Processing Society, 2005, p. 748--753.Google Scholar
- S. O. Al-Mamory et H. Zhang, ≪ A survey on IDS alerts processing techniques ≫, présenté à Proceeding of the 6th WSEAS international conference on information security and privacy (ISP'07), Spain, 2007, p. 69--78.Google Scholar
- S. O. Al-Mamory et H. Zhang, ≪ New data mining technique to enhance IDS alarms quality ≫, Journal in computer virology, vol. 6, no 1, p. 43--55, 2010.Google Scholar
- S. O. Al-Mamory, H. Zhang, et A. R. Abbas, ≪ IDS alarms reduction using data mining ≫, présenté à 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence), 2008, p. 3564--3570.Google Scholar
- S. O. Al-Mamory et H. Zhang, ≪ Intrusion detection alarms reduction using root cause analysis and clustering ≫, Computer Communications, vol. 32, no 2, p. 419--430, 2009.Google ScholarDigital Library
- R. Vaarandi, ≪ Real-time classification of IDS alerts with data mining techniques ≫, présenté à MILCOM 2009-2009 IEEE Military Communications Conference, 2009, p. 1--7.Google Scholar
- J. Long, D. Schwartz, et S. Stoecklin, ≪ Distinguishing false from true alerts in snort by data mining patterns of alerts ≫, présenté à Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006, 2006, vol. 6241, p. 62410B.Google Scholar
- F. Maggi, M. Matteucci, et S. Zanero, ≪ Reducing false positives in anomaly detectors through fuzzy alert aggregation ≫, Information Fusion, vol. 10, no 4, p. 300--311, 2009.Google ScholarDigital Library
- R. Vaarandi et K. Podiņš, ≪ Network ids alert classification with frequent itemset mining and data clustering ≫, présenté à 2010 International Conference on Network and Service Management, 2010, p. 451--456.Google Scholar
- N. Mansour, M. I. Chehab, et A. Faour, ≪ Filtering intrusion detection alarms ≫, Cluster Computing, vol. 13, no 1, p. 19--29, 2010.Google ScholarDigital Library
- Z. Tian, W. Zhang, J. Ye, X. Yu, et H. Zhang, ≪ Reduction of false positives in intrusion detection via adaptive alert classifier ≫, présenté à 2008 International Conference on Information and Automation, 2008, p. 1599--1602.Google Scholar
- F. N. M. Sabri, N. M. Norwawi, et K. Seman, ≪ Identifying false alarm rates for intrusion detection system with Data Mining ≫, IJCSNS International Journal of Computer Science and Network Security, vol. 11, no 4, p. 95, 2011.Google Scholar
- S. X. Wu et W. Banzhaf, ≪ The use of computational intelligence in intrusion detection systems: A review ≫, Applied soft computing, vol. 10, no 1, p. 1--35, 2010.Google Scholar
Recommendations
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset
TrustBus '08: Proceedings of the 5th international conference on Trust, Privacy and Security in Digital BusinessIt is a common issue that an Intrusion Detection System (IDS) might generate thousand of alerts per day. The problem has got worse by the fact that IT infrastructure have become larger and more complicated, the number of generated alarms that need to be ...
Rule indexing for efficient intrusion detection systems
WISA'11: Proceedings of the 12th international conference on Information Security ApplicationsAs the use of the Internet has increased tremendously, the network traffic involved in malicious activities has also grown significantly. To detect and classify such malicious activities, Snort, the open-sourced network intrusion detection system, is ...
Comments