nach oben

Journal of Network and Systems Management

Erschienen in:

02.05.2018

Enhancing the Accuracy of Intrusion Detection Systems by Reducing the Rates of False Positives and False Negatives Through Multi-objective Optimization

verfasst von: Fatma Hachmi, Khadouja Boujenfa, Mohamed Limam

Erschienen in: Journal of Network and Systems Management | Ausgabe 1/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Intrusion detection systems (IDSs) are the fundamental parts of any network security infrastructure given their role as layers of defense against hackers. However, IDSs generate frequent instances of false alerts and miss a lot of real attacks that block the normal traffic and threaten the network security. It is not possible to identify a missed intrusion using one IDS, so multiple IDSs are used since they respond differently to the same packet trace and produce different alert sets. Actually, an attack missed by an IDS can be detected by another while inspecting the same network traffic. In this paper, we propose a multi-objective optimization process that aims to identify false negatives and false positives from the sets of alerts generated by multiple IDSs. In the first step, low-level alerts are clustered into meta-alerts to give a better understanding of the output of each IDS. Then, a filtering step is performed having as input the distinct meta-alert sets generated by different IDSs and as output the set of potential false negatives collecting the meta-alerts detected by some IDSs and missed by others. Meta-alerts generated by all IDSs are discarded since they cannot be missed attacks. Later, a clustering inter-IDS step is performed to group together similar meta-alerts generated by different IDSs. This clustering step aims to avoid the redundancy between the alerts generated by more than one IDS. Finally, a binary multi-objective optimization problem is used to detect false negatives and false positives. The proposed method is evaluated using a real network traffic, DARPA 1999 and NSL-KDD data sets. Experimental results show that the proposed process outperforms concurrent methods for false negatives and false positives detection.

Vorheriger Artikel TMM: Trust Management Middleware for Cloud Service Selection by Prioritization

Nächster Artikel SECA on MIA-DTN: Tackling the Energy Issue in Monitor Incorporated Adaptive Delay Tolerant Network Using a Simplistic Energy Conscious Approach

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secu.—TISSEC 6(4), 443–471 (2003)CrossRef

Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Computer Security Applications Conference, pp. 12–21 (2001)

Pietraszek, T.: Using adaptive alert classification to reduce false positives in intrusion detection. In: Proceedings of 7th International Symposium, RAID 2004, Sophia Antipolis, France, pp. 102–124 (2004)

Pietraszek, T., Tanner, A.: Data mining and machine learning towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. 10(3), 169–183 (2005)CrossRef

Pietraszek, T.: Alert Classification to Reduce False Positives in Intrusion Detection, Germany (2006)

Valeur, F., Vigna, G., Kruegel, C., Kemmerer, A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)CrossRef

Khan, L., Awad, M., Thuraisingham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J. 16(4), 507–521 (2007)CrossRef

Spathoulas, G.P., Katsikas, S.K.: Reducing false positives in intrusion detection systems. Comput. Secur. 29(1), 35–44 (2010)CrossRef

Mansour, N., Chehab, M.I., Faour, A.: Filtering intrusion detection alarms. Clust. Comput. 13(1), 19–29 (2010)CrossRef

10.

Zhang, Y.Y., Huang, S., Wang, Y.: IDS alert classification model construction using decision support techniques. In: International Conference on Computer Science and Electronics Engineering, pp. 301–305 (2012)

11.

Gupta, D., Joshi, P.S., Bhattacharjee, A.K., Mundada, R.S.: IDS alerts classification using knowledge-based evaluation. In: International Conference on Communication Systems and Networks January, 1–8 (2012)

12.

Tjhai, G.C., Furnell, S.M., Papadaki, M., Clarke, N.L.: A preliminary two-stage alarm correlation and filtering system using SOM neural network and k-means algorithm. Comput. Secur. 29(6), 712–723 (2010)CrossRef

13.

Elshoush, H,T., Osman, I.M.: An improved framework for intrusion alert correlation. In: WCE12: Proceedings of the 2012 World Congress on Engineering, pp. 1–6 (2012)

14.

Benferhat, S., Boudjelida, A., Tabia, K., Drias, H.: An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge. Int. J. Appl. Intell. 38(4), 520–540 (2013)CrossRef

15.

Hubballi, N., Suryanarayanan, V.: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 17 (2014)CrossRef

16.

Guo, C., Zhou, Y., Ping, Y., Zhang, Z., Liu, G., Yang, Y.: A distance sum-based hybrid method for intrusion detection. Appl. Intell. 40(1), 178–188 (2014)CrossRef

17.

Elhag, S., Fernndez, A., Bawakid, A., Alshomrani, S., Herrera, F.: On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems. Expert Syst. Appl. 42(1), 193–202 (2015)CrossRef

18.

Lin, W.-C., Ke, S.-W., Tsai, C.-F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl. Based Syst. 78, 13–21 (2015)CrossRef

19.

Chen, I.-W., Lin, P.-C., Luo, C.-C., Cheng, T.-H., Lin Y.-D., Lai, Y.-C.: Extracting attack sessions from real traffic with intrusion prevention systems, In: Proceeding of IEEE International Conference on Communications (ICC) (2009)

20.

Latif-shabgahi, G., Bass, J.M., Bennett, S.: A taxonomy for software voting algorithm used in safety-critical systems. IEEE Trans. Reliab. 53(3), 319–28 (2004)CrossRef

21.

Parham, B.: Voting algorithms. IEEE Trans. Reliab. 43(4), 617–629 (2002)CrossRef

22.

Lin, Y.-D., Lai, Y.-C., Ho, C.-Y., Tai, W.-H.: Creditability-based weighted voting for reducing false positives and negatives in intrusion detection. Comput. Secur. 39, 460–474 (2013)CrossRef

23.

Ho, C.-Y., Lai, Y.-C., Chen, I.-W., Wang, F.-Y., Tai, W.-H.: Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems. IEEE Commun. Mag. 50(3), 146–54 (2012)CrossRef

24.

Yusof, R., Selamat, S., Sahib, S.: Intrusion alert correlation technique analysis for heterogenous log. Int. J. Comput. Sci. Netw. Secur. 8(9), 132–138 (2008)

25.

Dunn, J.C.: A fuzzy relative of the isodata process and its compact well-separated clusters. J. Cybern. 3(3), 3257 (1973)CrossRefMATH

26.

Bishop, C.: Pattern Recognition and Machine Learning. Springer, New York (2006)MATH

27.

Grodzevich, O., Romanko, O.: Performance evaluation of an intelligent CAC and routing framework for multimedia applications in broadband networks normalization. In: Proceedings of the Fields-MITACS Industrial Problems Workshop, Toronto, Ontario (2006)

Titel: Enhancing the Accuracy of Intrusion Detection Systems by Reducing the Rates of False Positives and False Negatives Through Multi-objective Optimization
verfasst von: Fatma Hachmi
Khadouja Boujenfa
Mohamed Limam
Publikationsdatum: 02.05.2018
Verlag: Springer US
Erschienen in: Journal of Network and Systems Management / Ausgabe 1/2019
Print ISSN: 1064-7570
Elektronische ISSN: 1573-7705
DOI: https://doi.org/10.1007/s10922-018-9459-y

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2019

Virtual Machine Placement Algorithm for Energy Saving and Reliability of Servers in Cloud Data Centers

Acknowledgment to Reviewers

Anomaly Detection and Modeling in 802.11 Wireless Networks

TMM: Trust Management Middleware for Cloud Service Selection by Prioritization

Optimizing Trade-Off Between Cost and Performance of Data Transfers Using Bandwidth Reservation in Dedicated Networks

Dynamic Bandwidth Allocation for Video Traffic Using FARIMA-Based Forecasting Models

Premium Partner