IDS False Alarm Reduction Using Continuous and Discontinuous Patterns

  • Abdulrahman Alharby
  • Hideki Imai
Conference paper

DOI: 10.1007/11496137_14

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)
Cite this paper as:
Alharby A., Imai H. (2005) IDS False Alarm Reduction Using Continuous and Discontinuous Patterns. In: Ioannidis J., Keromytis A., Yung M. (eds) Applied Cryptography and Network Security. ACNS 2005. Lecture Notes in Computer Science, vol 3531. Springer, Berlin, Heidelberg

Abstract

Intrusion Detection Systems (IDSs) are widely deployed in computer networks to stand against a wide variety of attacks. IDSs deployment raises a serious problem, namely managing of a large number of triggered alerts. This problem becomes worse by the fact that some commercial IDSs may generate thousands of alerts per day. Identifying the real alarms from the huge volume of alarms is a frustrating task for security officers. Thus, reducing false alarms is a critical issue in IDSs efficiency and usability. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, an approach is proposed for characterizing the “normal” stream of alarms. In addition, an algorithm for detecting anomalies by using continuous and discontinuous sequential patterns is developed, and used in preliminary experiments with real-world data to show that the presented model can handle IDSs alarms efficiently.

Keywords

Intrusion detection alarm reduction sequential patterns 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Abdulrahman Alharby
    • 1
  • Hideki Imai
    • 1
  1. 1.Institute of industrial ScienceThe university of TokyoTokyoJapan

Personalised recommendations