LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.10.009

2006-01-01

Abstract:A pre-decision detection engine to mitigate false positives generated by signature-based network intrusion detection system and improve the performance of processing packets was proposed.By utilizing hosts'software information on monitored network,predecision detection engine makes a decision before pattern match to filter out unnecessary rules,which minimizes average pattern-match times for each packet,and reduces false positives and improves performance as a result.Experimental results showed that pre-decision detection engine can decrease false positives and improve the performance of processing packets,without increasing the false negative rate.

Fu Xiao,Xie Li

DOI: https://doi.org/10.1109/npc.2008.26

2008-01-01

Abstract:Intrusion detection systems (IDSs) can easily create thousands of alerts per day, up to 99% of which are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to analyze and react to attacks. This paper presents a novel method for handling IDS alerts more efficiently. It introduces outlier detection technique into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives. This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a two-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. And the experiments on DARPA 2000 and real-world data have proved that this model has high performance.

Qiaomu Jiang,Huifang Chen,Lei Xie,Kuang Wang

DOI: https://doi.org/10.1109/smartgridcomm.2017.8340659

2017-01-01

Abstract:State estimation plays a critical role in the smart grid systems. However, according to recent researches, it is evident that a well-designed false data injection attack (FDIA) can bypass the security system and mislead the state estimator. Therefore, detecting such kind of attack efficiently is critical to ensuring the reliability of the smart grid systems. In this paper, we study the real-time FDIA detection mechanism. In the proposed mechanism, we use a residual prewhitening procedure to resolve the problem in the existing real-time FDIA detection mechanism, which is the covariance matrix of the residual is not full rank. Then, we construct a two-sided vector parameter test statistic, and propose a real-time FDIA detection method based on the cumulative sum (CUSUM) of the one-shot statistic. Moreover, the asymptotic closed-form expressions of the detection performance of the proposed method, in terms of the false-alarm period and the average detection delay, are theoretically derived. Numerical results validate that the proposed real-time detection method can detecte the FDIA efficiently.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

刘双强,孙泽宇

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.11.093

2009-01-01

Abstract:The reduction on the false positive rate of intrusion detection systems(IDS) is one of the important ways to improve detection creditability.After analyzing false positive rate of anomaly IDS,presented methods to reduce the false positive rate.The method was constructing normal profile dynamically based on artificial immunity to restrain false positive rate.At the same time,the dynamical model and evolution of self,Ag were constructed then simulation experiment was done.The results show that the method can reduce the false positive rate efficiently.

Fu Xiao,Shi Jin,Xie Li

DOI: https://doi.org/10.4304/jnw.5.1.88-97

2010-01-01

Abstract:Current system managers often have to process huge amounts of alerts per day, which may be produced by all kinds of security products, network management tools or system logs. This has made it extremely difficult for managers to analyze and react to threats and attacks. So an effective technique which can automatically filter and analyze alerts has become urgent need. This paper presents a novel method for handling IDS alerts more efficiently. It introduces a new data mining technique, outlier detection, into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives (i.e. alerts that are triggered incorrectly by benign events). This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a three-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method can help managers analyze the root causes of false positives. And our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. Through the experiments on DARPA 2000, we have proved that our model can effectively reduce false positives. And on real-world dataset, our model has even higher reduction rate. By comparing with other alert reduction methods, we believe that our model has better performance.

Weitong CHEN,Yuntao QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.16.050

2006-01-01

Abstract:This paper presents a network intrusion detection method based on Rough Set theory,and use a hybrid method with genetic algorithm to find a possibly short reduct which can reduce computing time.The result of the experiment shows that this model has high detection rate and low false reject rate in detecting DoS and probe attacks,and performs well in detecting R2L and U2R attacks either.

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Lu,Zhengguo Xu,Wenhai Wang,Youxian Sun

DOI: https://doi.org/10.1016/j.ress.2012.12.015

IF: 7.247

2013-01-01

Reliability Engineering & System Safety

Abstract:Over the past few years, fault detection for computer networks has attracted extensive attentions for its importance in network management. Most existing fault detection methods are based on active probing techniques which can detect the occurrence of faults fast and precisely. But these methods suffer from the limitation of traffic overhead, especially in large scale networks. To relieve traffic overhead induced by active probing based methods, a new fault detection method, whose key is to divide the detection process into multiple stages, is proposed in this paper. During each stage, only a small region of the network is detected by using a small set of probes. Meanwhile, it also ensures that the entire network can be covered after multiple detection stages. This method can guarantee that the traffic used by probes during each detection stage is small sufficiently so that the network can operate without severe disturbance from probes. Several simulation results verify the effectiveness of the proposed method.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Abdeljalil Agnaou,Anas Abou El Kalam,Abdellah Ait Ouahman,Mina De Montfort

DOI: https://doi.org/10.48550/arXiv.1611.03252

2016-11-10

Abstract:Current tools and systems of detecting vulnerabilities simply alert the administrator of attempted attacks against his network or system. However, generally, the huge number of alerts to analyze and the amount time required to update security rules after analyzing alerts provides time and opportunity for the attacker to inflict damages. Moreover, most of these tools generate positive and negative falses, which may be important to the attacked network. Otherwise, many solutions exist such as IPS, but it shows a great defect due, fundamentally, to false positives. Indeed, attackers often make IPS block a legitimate traffic when they detect its presence in the attacked network. In this paper we describe an automated algorithm that gives the ability to detect attacks before they occurrence, then reduce positive and negative falses rates. Moreover, we use a set of data related to malicious traffic captured using a network of honeypots to recognize potential threats sources.

Cryptography and Security

孙云,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.09.059

2008-01-01

Abstract:Intrusion Detection System(IDS) has been harassed by false positive and false negative problem.Common IDS using single detection mode is hard to solve this problem effectively.This paper analyzes the characteristics of network flow and presents a new method,called hybrid IDS,combining misuse detection mode and anomaly detection mode,the method can overcome the shortcomings of IDS using single mode.Experiments show that the new method can improve IDS detection rate and decrease false alerts effectively.

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

Gang Yang,Chaojing Tang,Xingtong Liu

DOI: https://doi.org/10.3390/sym14102138

2022-10-14

Symmetry

Abstract:The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC2NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective.

Zahra Zohrevand,Uwe Glässer

DOI: https://doi.org/10.48550/arXiv.1904.06646

IF: 5.414

2019-04-14

Machine Learning

Abstract:Nowadays, advanced intrusion detection systems (IDSs) rely on a combination of anomaly detection and signature-based methods. An IDS gathers observations, analyzes behavioral patterns, and reports suspicious events for further investigation. A notorious issue anomaly detection systems (ADSs) and IDSs face is the possibility of high false alarms, which even state-of-the-art systems have not overcome. This is especially a problem with large and complex systems. The number of non-critical alarms can easily overwhelm administrators and increase the likelihood of ignoring future alerts. Mitigation strategies thus aim to avoid raising `too many' false alarms without missing potentially dangerous situations. There are two major categories of false alarm-mitigation strategies: (1) methods that are customized to enhance the quality of anomaly scoring; (2) approaches acting as filtering methods in contexts that aim to decrease false alarm rates. These methods have been widely utilized by many scholars. Herein, we review and compare the existing techniques for false alarm mitigation in ADSs. We also examine the use of promising techniques in signature-based IDS and other relevant contexts, such as commercial security information and event management tools, which are promising for ADSs. We conclude by highlighting promising directions for future research.

Sajad Homayoun,Magnea Haraldsdóttir,Emil Lynge,Christian D. Jensen

DOI: https://doi.org/10.3390/s24206547

IF: 3.9

2024-10-12

Sensors

Abstract:Noise (un-important) alerts are generally considered a major challenge in intrusion detection systems/sensors because they require more analysts to review and may cause disruption to systems that are shut down to avoid the consequences of a compromise. However, in real-world situations, many alerts could be raised for automatic tasks being completed by some software or regular tasks by users doing their daily job. This paper proposes an approach to reduce the number of noise alerts, assuming that frequent long-term security alerts can be considered noise if their frequency is meeting some criteria, such as the minimum occurrence ratio. We prove that to effectively reduce the level of noise alerts in Network Detection and Response (NDR) systems, we are able to use simpler algorithms; sometimes, the answer is in simpler solutions, and not always in complex solutions. We study data from a real customer of a Danish NDR solution and propose an Apriori-based approach to find frequent noisy alerts. Our comparison of the detected noise before and after applying our solution shows high performance in reducing noise alerts for most of the alert types for a real customer. Our experiments show that our method can filter more than 40% of the alerts by setting the minimum occurrences to 70%. Moreover, our results show that we were able to filter out more than 90% for some alert categories.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

LOU Shen-qiang,YE Hao,YANG Hong-ying

DOI: https://doi.org/10.3969/j.issn.1671-7848.2007.05.029

2007-01-01

Abstract:In leak detection of oil pipelines,false alarms caused by normal operations at the station may badly reduce the user confidence in leak detection systems.An efficient algorithm is proposed based on statistical modeling and wavelet transform to reduce this kind of false alarm.Based on the great difference in model residual between leak and operation,the algorithm distinguishes operation from leak by using the result of wavelet transform.Offline test results based on a set of data of three months show that,compared with the old leak detection system running at a real pipeline,the new method can reduce the total number of false alarm from 16 to 5.