Experimental Validation and Analysis of an Intelligent Detection and Response Strategy to False Positives and Network Attacks

  • Emmanuel Hooper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)


Intrusion Detection Systems (IDSs) and security tools are used to monitor potential attacks in network infrastructures. The IDSs and tools trigger alerts of potential attacks in networks. However, most of these alerts are false positives. The high volumes of false positives makes manually analysis of alerts difficult and inefficient. In this paper we present a novel approach for efficient intelligent detection and response to suspect packets and benign false positives. The intelligent strategy consists of Network Quarantine Channels (NQCs) with multiple zones for isolation and interaction with the suspect packets in real-time. We propose multiple feedback methods to enhance the capability of the IDS to detect threats and benign attacks. We describe new techniques for feeding the results of the NQC to the IDS. These approaches are effective in responding to benign and attack packets.


Intrusion Detection Intrusion Detection System Potential Attack Network Attack Adaptive Rule 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bowen, T., Chee, D., Segal, M.: Building survivable systems: An integrated approach based on intrusion detection and damage containment. In: IEEE Proceedings of the DARPA Information Survivability Conference and Exposition, vol. II of II, pp. 84–999 (2000)Google Scholar
  2. 2.
    Crampton, J., Loizou, G.: Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security 6(2), 201–231 (2003)CrossRefGoogle Scholar
  3. 3.
    Levine, J., La Bella, R., Owen, H., Contis, D., Culver, B.: The use of honeypots to detect exploited systems across large enterprise networks. In: Proceedings of the 2003 IEEE Workshop on Information Assurance. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  4. 4.
    Lippmann, R., Webster, S., Stetson, D.: The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 307–326. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Mahoney, M.V., Chan, P.K.: An analysis of the 1999 dARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 571–577 (2000)Google Scholar
  7. 7.
    Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: RAID 2002. LNCS, vol. 2515, pp. 115–137. Springer, Heidelberg (2002)Google Scholar
  8. 8.
    Network Associates. NAI Intruvert IDS: 1200, 2600 and 4000 Series, Santa Clara, CA, USA (2004)Google Scholar
  9. 9.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)CrossRefGoogle Scholar
  10. 10.
    Portnoy, L., Eskin, E., Solfo, S.: Intrusion detection with unlabelled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA 2001), pp. 76–105 (2001)Google Scholar
  11. 11.
    Project, T.H.: Know your enemy sebek, The Honeynet Project (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Emmanuel Hooper
    • 1
  1. 1.Information Security GroupUniversity of London, Royal HollowayEgham, SurreyUK

Personalised recommendations