Skip to Main Content
False positives are critical problems of network intrusion detection systems that use pattern matching algorithm to detect network intrusions. The algorithm is unable to eliminate false packets with short lifespan. Secondly, the algorithm lacks the capability to manage the trade-offs between false and true positives. Consequently, system administrators are frequently swamped with massive false alerts from intrusive packets that cannot achieve their objectives and unfortunately, such alerts are often mixed with few true positives. However, how to substantiate these two generic groups of alerts without incurring additional overheads are classical research issues. Therefore, we present clustering-based adaptive P-filter model to investigate false positives. Alerts from Snort were the input to the P-filter model and they were clustered with some sequential filtering criteria. Extensive evaluations that we performed have demonstrated high efficacy of our approach to collaborate with pattern matching algorithm in achieving significant reduction of false positives during intrusion detections.
Date of Conference: 27-29 Jan. 2010