Experimental Validation and Analysis of an Intelligent Detection and Response Strategy to False Positives and Network Attacks
Intrusion Detection Systems (IDSs) and security tools are used to monitor potential attacks in network infrastructures. The IDSs and tools trigger alerts of potential attacks in networks. However, most of these alerts are false positives. The high volumes of false positives makes manually analysis of alerts difficult and inefficient. In this paper we present a novel approach for efficient intelligent detection and response to suspect packets and benign false positives. The intelligent strategy consists of Network Quarantine Channels (NQCs) with multiple zones for isolation and interaction with the suspect packets in real-time. We propose multiple feedback methods to enhance the capability of the IDS to detect threats and benign attacks. We describe new techniques for feeding the results of the NQC to the IDS. These approaches are effective in responding to benign and attack packets.
KeywordsIntrusion Detection Intrusion Detection System Potential Attack Network Attack Adaptive Rule
Unable to display preview. Download preview PDF.
- 1.Bowen, T., Chee, D., Segal, M.: Building survivable systems: An integrated approach based on intrusion detection and damage containment. In: IEEE Proceedings of the DARPA Information Survivability Conference and Exposition, vol. II of II, pp. 84–999 (2000)Google Scholar
- 3.Levine, J., La Bella, R., Owen, H., Contis, D., Culver, B.: The use of honeypots to detect exploited systems across large enterprise networks. In: Proceedings of the 2003 IEEE Workshop on Information Assurance. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
- 6.Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 571–577 (2000)Google Scholar
- 7.Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: RAID 2002. LNCS, vol. 2515, pp. 115–137. Springer, Heidelberg (2002)Google Scholar
- 8.Network Associates. NAI Intruvert IDS: 1200, 2600 and 4000 Series, Santa Clara, CA, USA (2004)Google Scholar
- 10.Portnoy, L., Eskin, E., Solfo, S.: Intrusion detection with unlabelled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA 2001), pp. 76–105 (2001)Google Scholar
- 11.Project, T.H.: Know your enemy sebek, The Honeynet Project (2003), http://project.honeynet.org/papers/sebek.pdf