False alarm reduction in signature‐based IDS: game theory approach

Subba, Basant; Biswas, Santosh; Karmakar, Sushanta

doi:10.1002/sec.1661

Cited by 10 publications

(5 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Basant Subba et al [46] proposed a game theory (GT)based false alarm (GTBFA) for reducing the FPA in signaturebased IDS. A high FPA rate led to considerable utilization of network assets for monitoring against useless network fear.…”

Section: ) Network Based Ids (Nids)mentioning

confidence: 99%

Deep Analysis of Risks and Recent Trends Towards Network Intrusion Detection System

Shankar¹,

George²,

S³

et al. 2023

IJACSA

View full text Add to dashboard Cite

In the modern world, information security and communications concerns are growing due to increasing attacks and abnormalities. The presence of attacks and intrusion in the network may affect various fields such as social welfare, economic issues and data storage. Thus intrusion detection (ID) is a broad research area, and various methods have emerged over the years. Hence, detecting and classifying new attacks from several attacks are complicated tasks in the network. This review categorizes the security threats and challenges in the network by accessing present ID techniques. The major objective of this study is to review conventional tools and datasets for implementing network intrusion detection systems (NIDS) with open source malware scanning software. Furthermore, it examines and compares state-of-art NIDS approaches in regard to construction, deployment, detection, attack and validation parameters. This review deals with machine learning (ML) based and deep learning (DL) based NIDS techniques and then deliberates future research on unknown and known attacks.

show abstract

Section: ) Network Based Ids (Nids)mentioning

confidence: 99%

Deep Analysis of Risks and Recent Trends Towards Network Intrusion Detection System

Shankar¹,

George²,

S³

et al. 2023

IJACSA

View full text Add to dashboard Cite

show abstract

“…In the security domain, detecting anomalies early is crucial to protecting resources and services and to preparing for potential attacks. Various studies, such as [8][9][10][11], have focused on early detection and reducing false alarms to alleviate the operational burden that arises from these events. In our framework, we create metrics, such as References and P-Values, to effectively detect false alarms during AI operations, thus supporting false alarm reduction and improving the efficiency of analysts' Anomaly Detection tasks.…”

Section: ) Supporting Effective False Alarm Reductionmentioning

confidence: 99%

Reference-Based AI Decision Support for Cybersecurity

Lee,

Han,

Lee

2023

IEEE Access

View full text Add to dashboard Cite

In the cyber environment, massive amounts of data are generated daily. Artificial Intelligence (AI) technologies can effectively manage this vast data to support efficient operations in the cyber environment. Thanks to active research, AI has advanced significantly in this regard. However, as AI achieves higher performance, it becomes increasingly complex, which results in the low interpretability of AI outputs. This black-box nature of AI technology makes AI chal-lenging to apply in fields like cybersecurity, where the risk of false positives is significant. To address this issue, researchers have been working on eXplainable Artificial Intelligence (XAI) technology, with the intention to enhance the utility of AI by providing interpretations of AI predictions. Most previous research has focused on understanding how models function in terms of feature importance to interpret AI results. However, this approach fails to provide clear interpretations in fields where interpretability is crucial, such as security. Therefore, this paper proposes a framework that offers interpretations of AI results, even in unsupervised environ-ments that are suitable for security scenarios. Additionally, we have improved the logic of cal-culation Reference and have enhanced the function and performance compared with previous research. We provide additional information that supports interpretation, such as P-Values and References, to offer more effective decision support to security analysts and to ultimately reduce false alarms and enhance model performance. Overall, we aim to improve the model's perfor-mance by providing clear interpretations that are suitable for security tasks, thereby contrib-uting to more effective decision-making by security analysts.

show abstract

“…This is understandable given that scrutinizing FPs requires a time-consuming process of either creating a sanitized labeled dataset [18], or the manual examination of the alerts generated. One of the few studies focused on FP is [26] where the authors propose a game theory-based false alarm minimization scheme that correlates IDS alarms with network vulnerabilities. They validated their work using the benchmark DARPA intrusion detection evaluation dataset and an in-house IIT Guwahati Lab dataset.…”

Section: Related Workmentioning

confidence: 99%

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

et al. 2022

View full text Add to dashboard Cite

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

show abstract

False alarm reduction in signature‐based IDS: game theory approach

Cited by 10 publications

References 36 publications

Deep Analysis of Risks and Recent Trends Towards Network Intrusion Detection System

Deep Analysis of Risks and Recent Trends Towards Network Intrusion Detection System

Reference-Based AI Decision Support for Cybersecurity

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Contact Info

Product

Resources

About