Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysis

Abstract

In this work, we propose a methodology for reducing false alarms in file system intrusion detection systems, by taking into account the daemon’s file system footprint. More specifically, we experimentally show that sequences of outliers can serve as a distinguishing characteristic between true and false positives, and we show how analysing sequences of outliers can lead to lower false positive rates, while maintaining high detection rates. Based on this analysis, we developed an anomaly detection filter that learns outlier sequences using k-nearest neighbours with normalised longest common subsequence. Outlier sequences are then used as a filter to reduce false positives on the \(FI^2DS\) file system intrusion detection system. This filter is evaluated on both overlapping and non-overlapping sequences of outliers. In both cases, experiments performed on three real-world web servers and a honeynet show that our approach achieves significant false positive reduction rates (up to 50 times), without any degradation of the corresponding true positive detection rates.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Notes

  1. 1.

    http://www.freebsd.org/doc/en/books/handbook/audit.html.

  2. 2.

    http://ee.auth.gr/fi2ds/dataset2.tar.xz.

  3. 3.

    http://ee.auth.gr/fi2ds/README.

  4. 4.

    http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/.

  5. 5.

    https://code.google.com/p/kippo/.

References

  1. 1.

    Budalakoti S, Srivastava AN, Otey ME (2009) Anomaly detection and diagnosis algorithms for discrete symbol sequences with applications to airline safety. IEEE Trans Syst Man Cybern Part C Appl Rev 39(1):101–113

    Article  Google Scholar 

  2. 2.

    Chandola V (2009) Anomaly detection for symbolic sequences and time series data. PhD thesis, University of Minnesota

  3. 3.

    Chandola V, Banerjee A, Kumar V (2012) Anomaly detection for discrete sequences: a survey. IEEE Trans Knowl Data Eng 24(5):823–839

    Article  Google Scholar 

  4. 4.

    Chen W, Hsu S, Shen H (2005) Application of SVM and ANN for intrusion detection. Comput Oper Res 32(10):2617–2634

    Article  MATH  Google Scholar 

  5. 5.

    Corchado E, Herrero Á (2011) Neural visualization of network traffic data for intrusion detection. Appl Soft Comput 11(2):2042–2056

    Article  Google Scholar 

  6. 6.

    Denning D (1987) An intrusion–detection model. IEEE Trans Softw Eng 2:222–232

    Article  Google Scholar 

  7. 7.

    Forrest S, Hofmeyr S, Somayaji A, Longstaff T (1996) A sense of self for unix processes. In: 1996 IEEE symposium on security and privacy, 1996. Proceedings. IEEE, pp 120–128

  8. 8.

    Forrest S, Perelson A, Allen L, Cherukuri R (1994) Self-nonself discrimination in a computer. In: 1994 IEEE computer society symposium on research in security and privacy, 1994. Proceedings. IEEE, pp 202–212

  9. 9.

    Gogoi P, Borah B, Bhattacharyya DK (2010) Anomaly detection analysis of intrusion data using supervised and unsupervised approach. J Converg Inf Technol 5(1):95–110

    Google Scholar 

  10. 10.

    Hoang XD, Hu J, Bertok P (2009) A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. J Netw Comput Appl 32(6):1219–1228

    Article  Google Scholar 

  11. 11.

    Hochberg J, Jackson K, Stallings C, McClary J, DuBois D, Ford J (1993) Nadir: an automated system for detecting network intrusion and misuse. Comput Secur 12(3):235–248

    Article  Google Scholar 

  12. 12.

    Hofmeyr S, Forrest S, Somayaji A (1998) Intrusion detection using sequences of system calls. J Comput Secur 6(3):151–180

    Article  Google Scholar 

  13. 13.

    Horng SJ, Su MY, Chen YH, Kao TW, Chen RJ, Lai JL, Perkasa CD (2011) A novel intrusion detection system based on hierarchical clustering and support vector machines. Expert Syst Appl 38(1):306–313

    Article  Google Scholar 

  14. 14.

    Jamali S, Jafarzadeh P (2015) An intelligent intrusion detection system by using hierarchically structured learning automata. Neural Comput Appl. https://doi.org/10.1007/s00521-015-2116-4

    Article  Google Scholar 

  15. 15.

    Kang I, Jeong M, Kong D (2012) A differentiated one-class classification method with applications to intrusion detection. Expert Syst Appl 39(4):3899–3905

    Article  Google Scholar 

  16. 16.

    Kou G, Peng Y, Chen Z, Shi Y (2009) Multiple criteria mathematical programming for multi-class classification and application in network intrusion detection. Inf Sci 179(4):371–381

    Article  Google Scholar 

  17. 17.

    Krawczyk B, Minku LL, Gama J, Stefanowski J, Woniak M (2017) Ensemble learning for data stream analysis: a survey. Inf Fusion 37:132–156. https://doi.org/10.1016/j.inffus.2017.02.004

    Article  Google Scholar 

  18. 18.

    Kudłacik P, Porwik P, Wesołowski T (2016) Fuzzy approach for intrusion detection based on users commands. Soft Comput 20(7):2705–2719

    Article  Google Scholar 

  19. 19.

    Kumar N, Lolla VN, Keogh EJ, Lonardi S, Ratanamahatana CA (2005) Time-series bitmaps: a practical visualization tool for working with large time series databases. In: SDM. SIAM, pp 531–535

  20. 20.

    Kumar S, Spafford E (1994) A pattern matching model for misuse intrusion detection

  21. 21.

    Lee W, Stolfo S, Chan P, Eskin E, Fan W, Miller M, Hershkop S, Zhang J (2001) Real time data mining-based intrusion detection. In: DARPA information survivability conference and exposition II, 2001. DISCEX’01. Proceedings, vol 1. IEEE, pp 89–100

  22. 22.

    Leslie CS, Eskin E, Noble WS (2002) The spectrum kernel: a string kernel for SVM protein classification. In: Pacific symposium on biocomputing, vol 7, pp 566–575

  23. 23.

    Liao Y, Vemuri V (2002) Use of k-nearest neighbor classifier for intrusion detection. Comput Secur 21(5):439–448

    Article  Google Scholar 

  24. 24.

    Lindqvist U, Porras P (2001) Expert-BSM: a host-based intrusion detection solution for Sun Solaris. In: Computer security applications conference, 2001. ACSAC 2001. Proceedings 17th annual. IEEE, pp 240–251

  25. 25.

    Lippmann R, Fried D, Graf I, Haines J, Kendall K, McClung D, Weber D, Webster S, Wyschogrod D, Cunningham R et al (2000) Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: DARPA information survivability conference and exposition, 2000. DISCEX’00. Proceedings, vol 2. IEEE, pp 12–26

  26. 26.

    Lippmann R, Haines J, Fried D, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Comput Netw 34(4):579–595

    Article  Google Scholar 

  27. 27.

    Mamalakis G, Diou C, Symeonidis A, Georgiadis L (2014) Of daemons and men: a file system approach towards intrusion detection. Appl Soft Comput 25:1–14

    Article  Google Scholar 

  28. 28.

    Mamalakis G, Diou C, Symeonidis AL (2015) Analysing behaviours for intrusion detection. In: 2015 IEEE international conference on communication workshop (ICCW). IEEE, pp 2645–2651

  29. 29.

    McLachlan G, Basford K (1988) Mixture models: inference and applications to clustering. Marcel Dekker, New York

  30. 30.

    Medina-Pérez MA, Monroy R, Camiña JB, García-Borroto M (2017) Bagging-TPMiner: a classifier ensemble for masquerader detection based on typical objects. Soft Comput 21(3):557–569

    Article  Google Scholar 

  31. 31.

    Mutz D, Valeur F, Vigna G, Kruegel C (2006) Anomalous system call detection. ACM Trans Inf Syst Secur (TISSEC) 9(1):61–93

    Article  Google Scholar 

  32. 32.

    Pang-Ning T, Steinbach M, Kumar V et al (2006) Introduction to data mining. Addison Wesley, Boston

    Google Scholar 

  33. 33.

    Peisert S, Bishop M, Karin S, Marzullo K (2007) Analysis of computer intrusions using sequences of function calls. IEEE Trans Dependable Secure Comput 4(2):137–150

    Article  Google Scholar 

  34. 34.

    Pietraszek T (2004) Using adaptive alert classification to reduce false positives in intrusion detection. In: Recent advances in intrusion detection. Springer, pp 102–124

  35. 35.

    Porras P, Neumann P (1997) Emerald: event monitoring enabling response to anomalous live disturbances. In: Proceedings of the 20th national information systems security conference, pp 353–365

  36. 36.

    Ramaswamy S, Rastogi R, Shim K (2000) Efficient algorithms for mining outliers from large data sets. In: ACM SIGMOD record, vol 29. ACM, pp 427–438

  37. 37.

    Roesch M et al (1999) Snort: lightweight intrusion detection for networks. LISA 99:229–238

    Google Scholar 

  38. 38.

    Spathoulas G, Katsikas S (2010) Reducing false positives in intrusion detection systems. Comput Secur 29(1):35–44

    Article  Google Scholar 

  39. 39.

    Stolfo S, Hershkop S, Bui L, Ferster R, Wang K (2005) Anomaly detection in computer security and an application to file system accesses. In: Foundations of intelligent systems, pp 14–28

  40. 40.

    Stolfo SJ, Apap F, Eskin E, Heller K, Hershkop S, Honig A, Svore K (2005) A comparative evaluation of two algorithms for windows registry anomaly detection. J Comput Secur 13(4):659–693

    Article  Google Scholar 

  41. 41.

    Tsai CF, Lin CY (2010) A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognit 43(1):222–229

    Article  MATH  Google Scholar 

  42. 42.

    Wagner D, Soto P (2002) Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on computer and communications security. ACM, pp 255–264

  43. 43.

    Wang W, Guan X, Zhang X, Yang L (2006) Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput Secur 25(7):539–550

    Article  Google Scholar 

  44. 44.

    Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE symposium on security and privacy, 1999. IEEE, pp 133–145

  45. 45.

    Xu J, Shelton C (2010) Intrusion detection using continuous time Bayesian networks. J Artif Intell Res 39(1):745–774

    Article  MathSciNet  MATH  Google Scholar 

  46. 46.

    Yeung D, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognit 36(1):229–243

    Article  MATH  Google Scholar 

  47. 47.

    Zhang Z, Shen H (2005) Application of online-training SVMs for real-time intrusion detection with different considerations. Comput Commun 28(12):1428–1442

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to George Mamalakis.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mamalakis, G., Diou, C., Symeonidis, A.L. et al. Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysis. Neural Comput & Applic 31, 7755–7767 (2019). https://doi.org/10.1007/s00521-018-3550-x

Download citation

Keywords

  • Intrusion detection systems
  • Anomaly detection
  • Sequences of outliers