TrustBus 2008: Trust, Privacy and Security in Digital Business pp 139-150 | Cite as
The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset
Conference paper
Abstract
It is a common issue that an Intrusion Detection System (IDS) might generate thousand of alerts per day. The problem has got worse by the fact that IT infrastructure have become larger and more complicated, the number of generated alarms that need to be reviewed can escalate rapidly, making the task very difficult to manage. Moreover, a significant problem facing current IDS technology now is the high level of false alarms. The main purpose of this paper is to investigate the extent of false alarms problem in Snort, using the 1999 DARPA IDS evaluation dataset. A thorough investigation has been carried out to assess the accuracy of alerts generated by Snort IDS. Significantly, this experiment has revealed an unexpected result; with 69% of total generated alerts are considered to be false alarms.
Keywords
Intrusion Detection System False positive True positive DARPA dataset SnortPreview
Unable to display preview. Download preview PDF.
References
- 1.Adoko, What Are Web Bugs? (2008) (date visited: September 7, 2007), http://www.adoko.com/webbugs.html
- 2.Alharby, A., Imai, H.: IDS False alarm reduction using continuous and discontinuous patterns. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)Google Scholar
- 3.Alshammari, R., Sonamthiang, S., Teimouri, M., Riordan, D.: Using Neuro-Fuzzy Approach to Reduce False Positive Alerts. In: Communication Networks and Services Research, 2007. Fifth Annual Conference. CNSR 2007, pp. 345–349 (2007)Google Scholar
- 4.Anaesthetist, The magnificent ROC (2007) (date visited: August 17, 2007), http://www.anaesthetist.com/mnm/stats/roc/Findex.htm
- 5.Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000) (date visited: May 10, 2007), http://www.scs.carleton.ca/~soma/id-2007w/readings/axelsson-base-rate.pdf CrossRefMathSciNetGoogle Scholar
- 6.BASE, Basic Analysis and Security Engine (BASE) Project (2007) (date visited: April 25, 2007), http://base.secureideas.net/
- 7.Bolzoni, D. and Etalle, S.: APHRODITE: an Anomaly-based Architecture for False Positive Reduction (2006) (date visited: November 7, 2006), http://arxiv.org/PScache/cs/pdf/0604/0604026.pdf
- 8.Brugger, S. T. and Chow, J.: An Assessment of the DARPA IDS Evaluation Dataset Using Snort (2005) (date visited: May 2, 2007), http://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdf
- 9.Caswell, B., Roesch, M.: Snort: The open source network intrusion detection system (2004) (date visited: October 3, 2006), http://www.snort.org/
- 10.Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)Google Scholar
- 11.Kayacik, G.H., Zincir-Heywood, A.N.: Using Intrusion Detection Systems with a Firewall: Evaluation on DARPA 99 Dataset. NIMS Technical Report #062003 (June 2003) (date visited: September 9, 2007), http://projects.cs.dal.ca/projectx/files/NIMS06-2003.pdf
- 12.Lincoln Lab, DARPA Intrusion Detection Evaluation (2001) (date visited: May 15, 2007), http://www.ll.mit.edu/IST/ideval/
- 13.Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX) (1999) (date visited: July 8, 2007), http://www.ll.mit.edu/IST/ideval/pubs/2000/discex00_paper.pdf
- 14.Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.J.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000) (date visited: June 20, 2007), http://ngi.ll.mit.edu/IST/ideval/pubs/2000/1999Eval-ComputerNetworks2000.pdf CrossRefGoogle Scholar
- 15.Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) (date visited: June 22, 2007), http://cs.fit.edu/~mmahoney/paper7.pdf Google Scholar
- 16.McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Information System Security 3(4), 262–294 (2000) (date visited: June 19, 2007), http://www.cc.gatech.edu/~wenke/ids-readings/mchugh_ll_critique.pdf CrossRefGoogle Scholar
- 17.Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 7-12 (1999)Google Scholar
- 18.Ruskey, F., Weston, M.: A Survey of Venn Diagrams (2005) (date visited: October 10, 2007), http://www.combinatorics.org/Surveys/ds5/VennEJC.html
- 19.Smith, R.: The Web Bug FAQ (1999) (date visited: August 15, 2007), http://w2.eff.org/Privacy/Marketing/web_bug.html
- 20.Snort, INFO web bug 1x1 gif attempt (2007) (date visited: August 9, 2007), http://snort.org/pub-bin/sigs.cgi?sid=2925
- 21.Tjhai, G., Papadaki, M., Furnell, S., Clarke, N.: Investigating the problem of IDS false alarms: An experimental study using Snort. In: IFIP SEC 2008, Milan, Italy, September 8-10 (2008)Google Scholar
Copyright information
© Springer-Verlag Berlin Heidelberg 2008