By Topic

Using Attack Information to Reduce False Positives in Network IDS

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Shimamura, M. ; Keio University, Japan ; Kono, K.

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks not harmful to the user’s environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators to the detection of a malicious message, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it confirms that an attempt has been made. In TrueAlarm, NIDS cooperates with a server-side monitor that observes the protected server’s behavior. TrueAlarm alerts administrators only when a server-side monitor detects deviant server behavior that must have been caused by a message detected by NIDS. Our experimental results show that TrueAlarm reduces the rate of false positives. Using real network traffic collected over 15 days, TrueAlarm produced no false positives, while a conventional NIDS produced 125.

Published in:

Computers and Communications, 2006. ISCC '06. Proceedings. 11th IEEE Symposium on

Date of Conference:

26-29 June 2006