Abstract
Intrusion detection is one of he important aspects in computer security. Many commercial intrusion detection systems (IDSs) are available and are widely used by organizations. However, most of them suffer from the problem of high false alarm rate, which added heavy workload to security officers who are responsible for handling the alarms. In this paper, we propose a new method to reduce the number of false alarms. We model the normal alarm patterns of IDSs and detect anomaly from incoming alarm streams using k-nearest-neighbor classifier. Preliminary experiments show that our approach successfully reduces up to 93% of false alarms generated by a famous IDS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CERT/CC Statistics 1988-2003: CERT Coordination Centre, Carnegie Mellon University, http://www.cert.org/stats/cert_stats.html
Bace, R.: Intrusion Detection. Macmillan Technical Publishing, NYC (2000)
Julisch, K.: Dealing with False Positives in Intrusion Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907. Springer, Heidelberg (2000)
Seleznyov, A., Puuronen, S.: HIDSUR: a hybrid intrusion detection system based on real-time user recognition. In: Proceedings of 11th International Workshop on Database and Expert Systems Applications, pp. 41–45 (2000)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)
Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 266–375 (2002)
Liao, Y., Vemuri, V.R.: Use of K-Nearest Neighbor classifier for intrusion detection. Computers and Security 21(5), 439–448 (2002)
DARPA Intrusion Detection Evaluation, MIT Lincoln Laboratory, http://www.ll.mit.edu/IST/ideval/
Snort, http://www.snort.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Law, K.H., Kwok, L.F. (2005). IDS False Alarm Filtering Using KNN Classifier. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-31815-6_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24015-0
Online ISBN: 978-3-540-31815-6
eBook Packages: Computer ScienceComputer Science (R0)