The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset

  • Gina C. Tjhai
  • Maria Papadaki
  • Steven M. Furnell
  • Nathan L. Clarke
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5185)


It is a common issue that an Intrusion Detection System (IDS) might generate thousand of alerts per day. The problem has got worse by the fact that IT infrastructure have become larger and more complicated, the number of generated alarms that need to be reviewed can escalate rapidly, making the task very difficult to manage. Moreover, a significant problem facing current IDS technology now is the high level of false alarms. The main purpose of this paper is to investigate the extent of false alarms problem in Snort, using the 1999 DARPA IDS evaluation dataset. A thorough investigation has been carried out to assess the accuracy of alerts generated by Snort IDS. Significantly, this experiment has revealed an unexpected result; with 69% of total generated alerts are considered to be false alarms.


Intrusion Detection System False positive True positive DARPA dataset Snort 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adoko, What Are Web Bugs? (2008) (date visited: September 7, 2007),
  2. 2.
    Alharby, A., Imai, H.: IDS False alarm reduction using continuous and discontinuous patterns. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    Alshammari, R., Sonamthiang, S., Teimouri, M., Riordan, D.: Using Neuro-Fuzzy Approach to Reduce False Positive Alerts. In: Communication Networks and Services Research, 2007. Fifth Annual Conference. CNSR 2007, pp. 345–349 (2007)Google Scholar
  4. 4.
    Anaesthetist, The magnificent ROC (2007) (date visited: August 17, 2007),
  5. 5.
    Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000) (date visited: May 10, 2007), CrossRefMathSciNetGoogle Scholar
  6. 6.
    BASE, Basic Analysis and Security Engine (BASE) Project (2007) (date visited: April 25, 2007),
  7. 7.
    Bolzoni, D. and Etalle, S.: APHRODITE: an Anomaly-based Architecture for False Positive Reduction (2006) (date visited: November 7, 2006),
  8. 8.
    Brugger, S. T. and Chow, J.: An Assessment of the DARPA IDS Evaluation Dataset Using Snort (2005) (date visited: May 2, 2007),
  9. 9.
    Caswell, B., Roesch, M.: Snort: The open source network intrusion detection system (2004) (date visited: October 3, 2006),
  10. 10.
    Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)Google Scholar
  11. 11.
    Kayacik, G.H., Zincir-Heywood, A.N.: Using Intrusion Detection Systems with a Firewall: Evaluation on DARPA 99 Dataset. NIMS Technical Report #062003 (June 2003) (date visited: September 9, 2007),
  12. 12.
    Lincoln Lab, DARPA Intrusion Detection Evaluation (2001) (date visited: May 15, 2007),
  13. 13.
    Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX) (1999) (date visited: July 8, 2007),
  14. 14.
    Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.J.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000) (date visited: June 20, 2007), CrossRefGoogle Scholar
  15. 15.
    Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) (date visited: June 22, 2007), Google Scholar
  16. 16.
    McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Information System Security 3(4), 262–294 (2000) (date visited: June 19, 2007), CrossRefGoogle Scholar
  17. 17.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 7-12 (1999)Google Scholar
  18. 18.
    Ruskey, F., Weston, M.: A Survey of Venn Diagrams (2005) (date visited: October 10, 2007),
  19. 19.
    Smith, R.: The Web Bug FAQ (1999) (date visited: August 15, 2007),
  20. 20.
    Snort, INFO web bug 1x1 gif attempt (2007) (date visited: August 9, 2007),
  21. 21.
    Tjhai, G., Papadaki, M., Furnell, S., Clarke, N.: Investigating the problem of IDS false alarms: An experimental study using Snort. In: IFIP SEC 2008, Milan, Italy, September 8-10 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Gina C. Tjhai
    • 1
  • Maria Papadaki
    • 1
  • Steven M. Furnell
    • 1
    • 2
  • Nathan L. Clarke
    • 1
    • 2
  1. 1.Centre for Information Security & Network ResearchUniversity of Plymouth Email: info@cisnr.orgPlymouthUnited Kingdom
  2. 2.School of Computer and Information ScienceEdith Cowan UniversityPerthWestern Australia

Personalised recommendations