False Alarm Classification Model for Network-Based Intrusion Detection System

  • Moon Sun Shin
  • Eun Hee Kim
  • Keun Ho Ryu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3177)


Network-based IDS(Intrusion Detection System) gathers network packet data and analyzes them into attack or normal. But they often output a large amount of low-level or incomplete alert information. Such alerts can be unmanageable and also be mixed with false alerts. In this paper we proposed a false alarm classification model to reduce the false alarm rate using classification analysis of data mining techniques. The model was implemented based on associative classification in the domain of DDOS attack. We evaluated the false alarm classifier deployed in front of Snort with Darpa 1998 dataset and verified the reduction of false alarm rate. Our approach is useful to reduce false alerts and to improve the detection rate of network-based intrusion detection systems.


False Alarm Association Rule False Alarm Rate Intrusion Detection Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schnackenberg, D., Djahandari, K., Sterne, D.: Infrastructure for Intrusion Detection and Response. In: Proceedings of the DARPA ISCE, Hilton Head, SC (January 2000)Google Scholar
  2. 2.
    Lee, M.J., Shin, M.S., Moon, H.S., Ryu, K.H.: Design and Implementation of Alert Analyzer with Data Mining Engine. In: Liu, J., Cheung, Y.-m., Yin, H. (eds.) IDEAL 2003. LNCS, vol. 2690, Springer, Heidelberg (2003)Google Scholar
  3. 3.
    Lee, W., Stolfo, S.J., Mok, K.W.: A Data Mining Framework for Building Intrusion Detection Models. In: Proc. The 2nd International Symposium on Recent Advances in Intrusion Detection, RAID (1999)Google Scholar
  4. 4.
    Ross Quinlan, J.: C4.5: Programs for and Neural Networks, Machine Learning. Morgan Kaufman publishers, San Francisco (1993)Google Scholar
  5. 5.
    Snort. Open-source Network Intrusion Detection System,
  6. 6.
    Spafford, E.H., Zamboni, D.: Intrusion detection using autonomous agents. Computer Networks 34, 547–570 (2000)CrossRefGoogle Scholar
  7. 7.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Recent Advances in Intrusion Detection. LNCS, pp. 85–103 (2001)Google Scholar
  8. 8.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Tcpdump/Libpcap, Network Packet Capture Program (2003),
  10. 10.
    Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions, Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Moon Sun Shin
    • 1
  • Eun Hee Kim
    • 1
  • Keun Ho Ryu
    • 1
  1. 1.Database LaboratoryChungbuk National UniversityKorea

Personalised recommendations