An efficient approach to reduce alerts generated by multiple IDS products

Nguyen, Toan Van; Luo, Juan; Njogu, Humphrey Waita

doi:10.1002/nem.1857

Cited by 11 publications

(5 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the context of intrusion detection, the false/missed alarm (FPR or FNR) is an important metric: a high rate of false alarms disturbs the security staff attention and increases the chance of a missed attack. The minimization of such events is an essential field of IDS research [95]. This metric demonstrates (Table 6) that AWSCTD family models have an advantage against the FCN family: the AWSCTD-CNN-GRU model has the best FPR of 0.018 for 1000 system calls sequence, while LSTM-FCN has the best value of 0.027 for the same sequence, i.e., 50% worse.…”

Section: Fpr and Fnrmentioning

confidence: 98%

Investigation of Dual-Flow Deep Learning Models LSTM-FCN and GRU-FCN Efficiency against Single-Flow CNN Models for the Host-Based Intrusion and Malware Detection Task on Univariate Times Series Data

Čeponis

Goranin

2020

Applied Sciences

View full text Add to dashboard Cite

Intrusion and malware detection tasks on a host level are a critical part of the overall information security infrastructure of a modern enterprise. While classical host-based intrusion detection systems (HIDS) and antivirus (AV) approaches are based on change monitoring of critical files and malware signatures, respectively, some recent research, utilizing relatively vanilla deep learning (DL) methods, has demonstrated promising anomaly-based detection results that already have practical applicability due low false positive rate (FPR). More complex DL methods typically provide better results in natural language processing and image recognition tasks. In this paper, we analyze applicability of more complex dual-flow DL methods, such as long short-term memory fully convolutional network (LSTM-FCN), gated recurrent unit (GRU)-FCN, and several others, for the task specified on the attack-caused Windows OS system calls traces dataset (AWSCTD) and compare it with vanilla single-flow convolutional neural network (CNN) models. The results obtained do not demonstrate any advantages of dual-flow models while processing univariate times series data and introducing unnecessary level of complexity, increasing training, and anomaly detection time, which is crucial in the intrusion containment process. On the other hand, the newly tested AWSCTD-CNN-static (S) single-flow model demonstrated three times better training and testing times, preserving the high detection accuracy.

show abstract

Section: Fpr and Fnrmentioning

confidence: 98%

Investigation of Dual-Flow Deep Learning Models LSTM-FCN and GRU-FCN Efficiency against Single-Flow CNN Models for the Host-Based Intrusion and Malware Detection Task on Univariate Times Series Data

Čeponis

Goranin

2020

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…Regrettably, the method is not tested with any datasets. An alert management approach with enhanced alert verification and alert aggregator modules were proposed to reduce the alerts quantity wherein the method produces inefficient clustering [12]. A correlation based alert processing model was introduced with an ample set of components.…”

Section: Related Workmentioning

confidence: 99%

A Quality Framework to Improve IDS Performance Through Alert Post-Processing

Riyad¹,

Ahmed²,

Almistarihi³

2019

IJIES

View full text Add to dashboard Cite

An intrusion detection system is one of the network security tools installed to monitor suspicious activity in the network and act as a last line of defense. It normally notifies about the skeptical activity occurred in the network using sensors by sending alarms to the administrator. However, the IDS present in the large network generates not only a large number of alerts but also abundant false alerts. These generated alerts are very difficult to handle as it increases the burden for the network administrator and also pulls down the performance of the defense system. In order to overcome the issue, various countermeasures have been proposed. Commonly, to increase the quality of alerts, the alerts are post-processed in such a way that the false alerts are filtered out thereby refining the performance of the IDS defense. In this paper, we propose an IDS quality framework using alert post-processing techniques to separate out the false alerts generated by various sensors in the network. At low level alert post-processing, the priority scores are assigned based on the quality measures to filter the irrelevant alerts having less significance. At high level alert postprocessing, higher level operations such as alert aggregation, clustering, and hyper alert correlation have been carried out to minimize the number of alerts and the high level report consisting of significant alerts is presented to the administrator. Experiments have been conducted using DARPA 2000 dataset to assess the performance of the proposed system. The system has produced pleasing results than many of the existing methods with 95% of alert reduction rate, 99% of completeness and 100% of soundness towards enlightening the quality of the alerts generated by the IDS.

show abstract

“…To mitigate this variation, we employ an ensemble anomaly detection method [8] that exploits the multiple baseline models trained using multiple sets of labeled-and-sampled/sampled-andlabeled data. A similar idea proposed in [25][26][27] exploits multiple existing anomaly detection systems in parallel. Since the multiple sets of labeled-andsampled/sampled-and-labeled data would have information about different features of the normal behavior of network traffic, the ensemble of the multiple baseline models trained using these heterogeneous data improves performance in anomaly detection more effectively than using a single baseline model.…”

Section: Ensemble Anomaly Detection Using Multiple Baseline Modelsmentioning

confidence: 99%

Human error tolerant anomaly detection based on time-periodic packet sampling

Uchida

2016

Knowledge-Based Systems

View full text Add to dashboard Cite

An efficient approach to reduce alerts generated by multiple IDS products

Cited by 11 publications

References 22 publications

Investigation of Dual-Flow Deep Learning Models LSTM-FCN and GRU-FCN Efficiency against Single-Flow CNN Models for the Host-Based Intrusion and Malware Detection Task on Univariate Times Series Data

Investigation of Dual-Flow Deep Learning Models LSTM-FCN and GRU-FCN Efficiency against Single-Flow CNN Models for the Host-Based Intrusion and Malware Detection Task on Univariate Times Series Data

A Quality Framework to Improve IDS Performance Through Alert Post-Processing

Human error tolerant anomaly detection based on time-periodic packet sampling

Contact Info

Product

Resources

About