Intelligent Alarm Filter Using Knowledge-Based Alert Verification in Network Intrusion Detection

  • Yuxin Meng
  • Wenjuan Li
  • Lam-for Kwok
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7661)


Network intrusions have become a big challenge to current network environment. Thus, network intrusion detection systems (NIDSs) are being widely deployed in various networks aiming to detect different kinds of network attacks (e.g., Trojan, worms). However, in real settings, a large number of alarms can be generated during the detection procedure, which greatly decrease the effectiveness of these intrusion detection systems. To mitigate this problem, we advocate that constructing an alarm filter is a promising solution. In this paper, we design and develop an intelligent alarm filter to help filter out NIDS alarms by means of knowledge-based alert verification. In particular, our proposed method of knowledge-based alert verification employs a rating mechanism in terms of expert knowledge to classify incoming NIDS alarms. We implemented and evaluated this intelligent knowledge-based alarm filter in a network environment. The experimental results show that the developed alarm filter can accurately filter out a number of NIDS alarms and achieve a better outcome.


Intelligent System Alarm Filtration Alert Verification Knowledge Representation and Integration Network Intrusion Detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security, 186–205 (August 2000)Google Scholar
  2. 2.
    Symantec Corp., Internet Security Threat Report, vol. 16, (accessed on May 26, 2012)
  3. 3.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  4. 4.
    Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS), pp. 800–894. NIST Special Publication (2007)Google Scholar
  5. 5.
    Vigna, G., Kemmerer, R.A.: NetSTAT: a Network-based Intrusion Detection Approach. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 25–34. IEEE Press, New York (1998)Google Scholar
  6. 6.
    Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proceedings of 13th Large Installation System Administration Conference (LISA), pp. 229–238. USENIX Association Berkeley, CA (1999)Google Scholar
  7. 7.
    Valdes, A., Anderson, D.: Statistical Methods for Computer Usage Anomaly Detection Using NIDES. Technical report, SRI International (January 1995)Google Scholar
  8. 8.
    Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 259–267 (1998)Google Scholar
  9. 9.
    Ptacek, T.H., Newsham, T.N.: Insertion, Evation, and Denial of Service: Eluding Network Intrusion Detection. Technical Report, Secure Networks (January 1998)Google Scholar
  10. 10.
    McHugh, J.: Testing Intrusion Detection Systems: a Critique of the 1998 and 1999 Darpa Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information System Security, 262–294 (2000)Google Scholar
  11. 11.
    Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: the 1998 DARPA off-line Intrusion Detection Evaluation. In: Proceedings of DARPA Information Survivability Conference and Exposition, pp. 12–26 (2000)Google Scholar
  12. 12.
    Meng, Y., Kwok, L.-F.: Adaptive False Alarm Filter Using Machine Learning in Intrusion Detection. In: Wang, Y., Li, T. (eds.) Practical Applications of Intelligent Systems. AISC, vol. 124, pp. 573–584. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Snort-The Open Source Network Intrusion Detection System, (accessed on April 25, 2012)
  14. 14.
    Sommer, R., Paxson, V.: Outside the Closed World: On using Machine Learning for Network Intrusion Detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316 (2010)Google Scholar
  15. 15.
    Kruegel, C., Robertson, W.: Alert Verification: Determining the Success of Intrusion Attempts. In: Proceedings of Workshop on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 25–38 (July 2004)Google Scholar
  16. 16.
    Zhou, J., Carlson, A.J., Bishop, M.: Verify Results of Network Intrusion Alerts Using Light-weight Protocol Analysis. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 117–126 (December 2005)Google Scholar
  17. 17.
    Mu, C., Huang, H., Tian, S.: Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-M., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3801, pp. 9–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Wireshark, Homepage, (accessed on April 10, 2012)
  19. 19.
    Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Kruegel, C., Robertson, W., Vigna, G.: Using Alert Verification to Identify Successful Intrusion Attempts. Journal of Practice in Information Processing and Communication 27(4), 220–228 (2004)Google Scholar
  21. 21.
    Law, K.H., Kwok, L.-F.: IDS False Alarm Filtering Using KNN Classifier. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 114–121. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Meng, Y., Li, W.: Constructing Context-based Non-Critical Alarm Filter in Intrusion Detection. In: Proceedings of International Conference on Internet Monitoring and Protection (ICIMP), pp. 75–81 (2012)Google Scholar
  23. 23.
    Alharby, A., Imai, H.: IDS False Alarm Reduction Using Continuous and Discontinuous Patterns. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yuxin Meng
    • 1
  • Wenjuan Li
    • 2
  • Lam-for Kwok
    • 1
  1. 1.Department of Computer Science, College of Science and EngineeringCity University of Hong KongHong KongChina
  2. 2.Computer Science DivisionZhaoqing Foreign Language CollegeGuangdongChina

Personalised recommendations