Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysis

  • George MamalakisEmail author
  • Christos Diou
  • Andreas L. Symeonidis
  • Leonidas Georgiadis
Original Article


In this work, we propose a methodology for reducing false alarms in file system intrusion detection systems, by taking into account the daemon’s file system footprint. More specifically, we experimentally show that sequences of outliers can serve as a distinguishing characteristic between true and false positives, and we show how analysing sequences of outliers can lead to lower false positive rates, while maintaining high detection rates. Based on this analysis, we developed an anomaly detection filter that learns outlier sequences using k-nearest neighbours with normalised longest common subsequence. Outlier sequences are then used as a filter to reduce false positives on the \(FI^2DS\) file system intrusion detection system. This filter is evaluated on both overlapping and non-overlapping sequences of outliers. In both cases, experiments performed on three real-world web servers and a honeynet show that our approach achieves significant false positive reduction rates (up to 50 times), without any degradation of the corresponding true positive detection rates.


Intrusion detection systems Anomaly detection Sequences of outliers 


Compliance with ethical standards

Conflict of interest

The authors declare that they have no conflict of interest.


  1. 1.
    Budalakoti S, Srivastava AN, Otey ME (2009) Anomaly detection and diagnosis algorithms for discrete symbol sequences with applications to airline safety. IEEE Trans Syst Man Cybern Part C Appl Rev 39(1):101–113CrossRefGoogle Scholar
  2. 2.
    Chandola V (2009) Anomaly detection for symbolic sequences and time series data. PhD thesis, University of MinnesotaGoogle Scholar
  3. 3.
    Chandola V, Banerjee A, Kumar V (2012) Anomaly detection for discrete sequences: a survey. IEEE Trans Knowl Data Eng 24(5):823–839CrossRefGoogle Scholar
  4. 4.
    Chen W, Hsu S, Shen H (2005) Application of SVM and ANN for intrusion detection. Comput Oper Res 32(10):2617–2634CrossRefzbMATHGoogle Scholar
  5. 5.
    Corchado E, Herrero Á (2011) Neural visualization of network traffic data for intrusion detection. Appl Soft Comput 11(2):2042–2056CrossRefGoogle Scholar
  6. 6.
    Denning D (1987) An intrusion–detection model. IEEE Trans Softw Eng 2:222–232CrossRefGoogle Scholar
  7. 7.
    Forrest S, Hofmeyr S, Somayaji A, Longstaff T (1996) A sense of self for unix processes. In: 1996 IEEE symposium on security and privacy, 1996. Proceedings. IEEE, pp 120–128Google Scholar
  8. 8.
    Forrest S, Perelson A, Allen L, Cherukuri R (1994) Self-nonself discrimination in a computer. In: 1994 IEEE computer society symposium on research in security and privacy, 1994. Proceedings. IEEE, pp 202–212Google Scholar
  9. 9.
    Gogoi P, Borah B, Bhattacharyya DK (2010) Anomaly detection analysis of intrusion data using supervised and unsupervised approach. J Converg Inf Technol 5(1):95–110Google Scholar
  10. 10.
    Hoang XD, Hu J, Bertok P (2009) A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. J Netw Comput Appl 32(6):1219–1228CrossRefGoogle Scholar
  11. 11.
    Hochberg J, Jackson K, Stallings C, McClary J, DuBois D, Ford J (1993) Nadir: an automated system for detecting network intrusion and misuse. Comput Secur 12(3):235–248CrossRefGoogle Scholar
  12. 12.
    Hofmeyr S, Forrest S, Somayaji A (1998) Intrusion detection using sequences of system calls. J Comput Secur 6(3):151–180CrossRefGoogle Scholar
  13. 13.
    Horng SJ, Su MY, Chen YH, Kao TW, Chen RJ, Lai JL, Perkasa CD (2011) A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert Syst Appl 38(1):306–313CrossRefGoogle Scholar
  14. 14.
    Jamali S, Jafarzadeh P (2015) An intelligent intrusion detection system by using hierarchically structured learning automata. Neural Comput Appl. Google Scholar
  15. 15.
    Kang I, Jeong M, Kong D (2012) A differentiated one-class classification method with applications to intrusion detection. Expert Syst Appl 39(4):3899–3905CrossRefGoogle Scholar
  16. 16.
    Kou G, Peng Y, Chen Z, Shi Y (2009) Multiple criteria mathematical programming for multi-class classification and application in network intrusion detection. Inf Sci 179(4):371–381CrossRefGoogle Scholar
  17. 17.
    Krawczyk B, Minku LL, Gama J, Stefanowski J, Woniak M (2017) Ensemble learning for data stream analysis: a survey. Inf Fusion 37:132–156. CrossRefGoogle Scholar
  18. 18.
    Kudłacik P, Porwik P, Wesołowski T (2016) Fuzzy approach for intrusion detection based on users commands. Soft Comput 20(7):2705–2719CrossRefGoogle Scholar
  19. 19.
    Kumar N, Lolla VN, Keogh EJ, Lonardi S, Ratanamahatana CA (2005) Time-series bitmaps: a practical visualization tool for working with large time series databases. In: SDM. SIAM, pp 531–535Google Scholar
  20. 20.
    Kumar S, Spafford E (1994) A pattern matching model for misuse intrusion detectionGoogle Scholar
  21. 21.
    Lee W, Stolfo S, Chan P, Eskin E, Fan W, Miller M, Hershkop S, Zhang J (2001) Real time data mining-based intrusion detection. In: DARPA information survivability conference and exposition II, 2001. DISCEX’01. Proceedings, vol 1. IEEE, pp 89–100Google Scholar
  22. 22.
    Leslie CS, Eskin E, Noble WS (2002) The spectrum kernel: a string kernel for SVM protein classification. In: Pacific symposium on biocomputing, vol 7, pp 566–575Google Scholar
  23. 23.
    Liao Y, Vemuri V (2002) Use of k-nearest neighbor classifier for intrusion detection. Comput Secur 21(5):439–448CrossRefGoogle Scholar
  24. 24.
    Lindqvist U, Porras P (2001) Expert-BSM: a host-based intrusion detection solution for Sun Solaris. In: Computer security applications conference, 2001. ACSAC 2001. Proceedings 17th annual. IEEE, pp 240–251Google Scholar
  25. 25.
    Lippmann R, Fried D, Graf I, Haines J, Kendall K, McClung D, Weber D, Webster S, Wyschogrod D, Cunningham R et al (2000) Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: DARPA information survivability conference and exposition, 2000. DISCEX’00. Proceedings, vol 2. IEEE, pp 12–26Google Scholar
  26. 26.
    Lippmann R, Haines J, Fried D, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Comput Netw 34(4):579–595CrossRefGoogle Scholar
  27. 27.
    Mamalakis G, Diou C, Symeonidis A, Georgiadis L (2014) Of daemons and men: a file system approach towards intrusion detection. Appl Soft Comput 25:1–14CrossRefGoogle Scholar
  28. 28.
    Mamalakis G, Diou C, Symeonidis AL (2015) Analysing behaviours for intrusion detection. In: 2015 IEEE international conference on communication workshop (ICCW). IEEE, pp 2645–2651Google Scholar
  29. 29.
    McLachlan G, Basford K (1988) Mixture models: inference and applications to clustering. Marcel Dekker, New YorkGoogle Scholar
  30. 30.
    Medina-Pérez MA, Monroy R, Camiña JB, García-Borroto M (2017) Bagging-TPMiner: a classifier ensemble for masquerader detection based on typical objects. Soft Comput 21(3):557–569CrossRefGoogle Scholar
  31. 31.
    Mutz D, Valeur F, Vigna G, Kruegel C (2006) Anomalous system call detection. ACM Trans Inf Syst Secur (TISSEC) 9(1):61–93CrossRefGoogle Scholar
  32. 32.
    Pang-Ning T, Steinbach M, Kumar V et al (2006) Introduction to data mining. Addison Wesley, BostonzbMATHGoogle Scholar
  33. 33.
    Peisert S, Bishop M, Karin S, Marzullo K (2007) Analysis of computer intrusions using sequences of function calls. IEEE Trans Dependable Secure Comput 4(2):137–150CrossRefGoogle Scholar
  34. 34.
    Pietraszek T (2004) Using adaptive alert classification to reduce false positives in intrusion detection. In: Recent advances in intrusion detection. Springer, pp 102–124Google Scholar
  35. 35.
    Porras P, Neumann P (1997) Emerald: event monitoring enabling response to anomalous live disturbances. In: Proceedings of the 20th national information systems security conference, pp 353–365Google Scholar
  36. 36.
    Ramaswamy S, Rastogi R, Shim K (2000) Efficient algorithms for mining outliers from large data sets. In: ACM SIGMOD record, vol 29. ACM, pp 427–438Google Scholar
  37. 37.
    Roesch M et al (1999) Snort: lightweight intrusion detection for networks. LISA 99:229–238Google Scholar
  38. 38.
    Spathoulas G, Katsikas S (2010) Reducing false positives in intrusion detection systems. Comput Secur 29(1):35–44CrossRefGoogle Scholar
  39. 39.
    Stolfo S, Hershkop S, Bui L, Ferster R, Wang K (2005) Anomaly detection in computer security and an application to file system accesses. In: Foundations of intelligent systems, pp 14–28Google Scholar
  40. 40.
    Stolfo SJ, Apap F, Eskin E, Heller K, Hershkop S, Honig A, Svore K (2005) A comparative evaluation of two algorithms for windows registry anomaly detection. J Comput Secur 13(4):659–693CrossRefGoogle Scholar
  41. 41.
    Tsai CF, Lin CY (2010) A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognit 43(1):222–229CrossRefzbMATHGoogle Scholar
  42. 42.
    Wagner D, Soto P (2002) Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 255–264Google Scholar
  43. 43.
    Wang W, Guan X, Zhang X, Yang L (2006) Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput Secur 25(7):539–550CrossRefGoogle Scholar
  44. 44.
    Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE symposium on security and privacy, 1999. IEEE, pp 133–145Google Scholar
  45. 45.
    Xu J, Shelton C (2010) Intrusion detection using continuous time Bayesian networks. J Artif Intell Res 39(1):745–774MathSciNetzbMATHGoogle Scholar
  46. 46.
    Yeung D, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognit 36(1):229–243CrossRefzbMATHGoogle Scholar
  47. 47.
    Zhang Z, Shen H (2005) Application of online-training SVMs for real-time intrusion detection with different considerations. Comput Commun 28(12):1428–1442CrossRefGoogle Scholar

Copyright information

© The Natural Computing Applications Forum 2018

Authors and Affiliations

  1. 1.Department of Electrical and Computer EngineeringAristotle University of ThessalonikiThessalonikiGreece

Personalised recommendations