IDS False Alarm Filtering Using KNN Classifier
Intrusion detection is one of he important aspects in computer security. Many commercial intrusion detection systems (IDSs) are available and are widely used by organizations. However, most of them suffer from the problem of high false alarm rate, which added heavy workload to security officers who are responsible for handling the alarms. In this paper, we propose a new method to reduce the number of false alarms. We model the normal alarm patterns of IDSs and detect anomaly from incoming alarm streams using k-nearest-neighbor classifier. Preliminary experiments show that our approach successfully reduces up to 93% of false alarms generated by a famous IDS.
KeywordsFalse Alarm False Alarm Rate Intrusion Detection Intrusion Detection System Audit Data
Unable to display preview. Download preview PDF.
- 1.CERT/CC Statistics 1988-2003: CERT Coordination Centre, Carnegie Mellon University, http://www.cert.org/stats/cert_stats.html
- 2.Bace, R.: Intrusion Detection. Macmillan Technical Publishing, NYC (2000)Google Scholar
- 3.Julisch, K.: Dealing with False Positives in Intrusion Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907. Springer, Heidelberg (2000)Google Scholar
- 4.Seleznyov, A., Puuronen, S.: HIDSUR: a hybrid intrusion detection system based on real-time user recognition. In: Proceedings of 11th International Workshop on Database and Expert Systems Applications, pp. 41–45 (2000)Google Scholar
- 6.Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)Google Scholar
- 7.Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 266–375 (2002)Google Scholar
- 9.DARPA Intrusion Detection Evaluation, MIT Lincoln Laboratory, http://www.ll.mit.edu/IST/ideval/
- 10.Snort, http://www.snort.org/