Network specific false alarm reduction in intrusion detection system

Hubballi, Neminath; Biswas, Santosh; Nandi, Sukumar

doi:10.1002/sec.261

Cited by 24 publications

(29 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, (FPR) is defined by the number of nodes falsely detected as attacker nodes [35][36][37] and given by We obtain the delay values (in seconds) for both normal flow and attack scenarios after performing all steps, which are discussed in the high-level description of the detection scheme in Fig. 8.…”

Section: Simulation Resultsmentioning

confidence: 99%

See 1 more Smart Citation

An Efficient Hybrid Anomaly Detection Scheme Using K-Means Clustering for Wireless Sensor Networks

Wazid

Das

2016

Wireless Pers Commun

View full text Add to dashboard Cite

Sensor nodes in a wireless sensor network (WSN) may be lost due to enervation or malicious attacks by an adversary. WSNs deployed for several applications including military applications are prone to various attacks, which degrade the network performance very rapidly. Hybrid anomaly is a type of anomaly that contains the different types of attacker nodes such as blackhole, misdirection, wormhole etc. These multiple attacks can be launched in the network using the hybrid anomaly. In this situation, it is very difficult to find out which kind of attacker nodes are activated in the network. This motivates us to design a robust and efficient secure intrusion detection approach in order to extend the lifetime of a WSN. In this paper, we aim to propose a new intrusion detection technique for hybrid anomaly, which uses the existing data mining algorithm, called K-means clustering. For the detection purpose, patterns of intrusions are built automatically by the K-means clustering algorithm over training data. After that intrusions are detected by matching network activities against these detection patterns. We evaluate our approach over a WSN dataset that is created using Opnet modeler, which contains various attributes, such as endto-end delay, traffic sent and traffic received. The training dataset contains the normal values of the network parameters. The testing dataset is created in actual working mode consists of normal and abnormal values of the network parameters. The proposed technique has the ability to detect two types of malicious nodes: blackhole and misdirection nodes. Our scheme achieves 98.6 % detection rate and 1.2 % false positive rate, which are significantly better than the existing related schemes.

show abstract

Section: Simulation Resultsmentioning

confidence: 99%

“…Let TP be the number of true positives, FN the number of false negatives, FP the number of false positives and TN the number of true negatives. Then, DR is defined by the number of attackers detected by the scheme divided by the total number of attackers present in the test set [35][36][37] and given by…”

Section: Simulation Resultsmentioning

confidence: 99%

An Efficient Hybrid Anomaly Detection Scheme Using K-Means Clustering for Wireless Sensor Networks

Wazid

Das

2016

Wireless Pers Commun

View full text Add to dashboard Cite

show abstract

“…One suggested way to filter or prioritize alerts is to compare installed software with the software products mentioned in the alert [5][6][7][8][9][10]. For instance, if an alert concerns Linux-exploits but is raised for a Windowsmachine, it could be discarded.…”

Section: Information Used By Filtersmentioning

confidence: 99%

A test of intrusion alert filtering based on network information

Sommestad

Franke

2015

Security Comm. Networks

View full text Add to dashboard Cite

Intrusion detection systems continue to be a promising security technology. The arguably biggest problem with today's intrusion detection systems is the sheer number of alerts they produce for events that are regarded as benign or non‐critical by system administrators. A plethora of more and less complex solutions has been proposed to filter the relevant (i.e., correct) alerts that signature‐based intrusion detection sensors produce. This paper reports on a test performed to test a number of filtering alternatives that take advantage of information about static properties of the monitored computer network, such as vulnerabilities and exposure of ports and hosts. The results show that none of the filters are able to maintain a high recall (portion of detected attacks) while increasing the precision (portion of relevant alerts). At most, precision increased from 1.4% to 2.9%, and this also resulted in a decrease in recall from 44% to 26%. Even when combined in an exploratory fashion, the filters fail to provide improved precision. It is concluded that filters based on static properties of the computer network do not result in clear improvements to alert lists produced by signature‐based intrusion detection systems. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

“…Generally, IDSs gather and analyze information in a network in order to identify possible security breaches and generate an alert or alarm if an intrusion is detected. There are two classes of IDS : Signature‐based IDS: this recognizes patterns of attack and works in a similar way to antivirus software. The IDS essentially contains attack descriptions or signatures and matches them against the audit data stream, looking for evidence of known attacks.…”

Section: Introductionmentioning

confidence: 99%

An efficient approach to reduce alerts generated by multiple IDS products

2014

View full text Add to dashboard Cite

Intrusion detection systems (IDSs) often trigger a huge number of unnecessary alerts. Managing the overwhelming number of alerts, especially from multiple IDS products, is a concern to every security analyst. Analyzing and evaluating these alerts is a difficult task that frustrates the effort of analysts. In fact, true alerts are usually buried under heaps of false alerts. We have identified several research gaps in the existing alert management approaches that need to be addressed, especially when handling alerts from different IDS products. In this work, we present an efficient alert management approach that reduces the unnecessary alerts produced by different IDS products using two main modules: an enhanced alert verification module that validates alerts with vulnerability assessment data; and an enhanced alert aggregator module that reduces redundant alerts and presents them in the form of meta alerts. Finally, we have carried out experiments in our test bed and recorded impressive results in terms of high accuracy and low false positive rate for multiple IDS products.

show abstract

Network specific false alarm reduction in intrusion detection system

Cited by 24 publications

References 9 publications

An Efficient Hybrid Anomaly Detection Scheme Using K-Means Clustering for Wireless Sensor Networks

An Efficient Hybrid Anomaly Detection Scheme Using K-Means Clustering for Wireless Sensor Networks

A test of intrusion alert filtering based on network information

An efficient approach to reduce alerts generated by multiple IDS products

Contact Info

Product

Resources

About