Reducing false positives in intrusion detection systems

Σπαθούλας, Γεώργιος; Katsikas, Sokratis K.

doi:10.1016/j.cose.2009.07.008

Cited by 81 publications

(34 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It is very robust to inadequate sampling and class imbalance and is potentially helpful in malware detection problem. Besides, another consideration is the control of the false positive rate (the rate that benign programs are misclassified as malware, abbreviated as FPR hereafter) [29,40]. Misclassification of a benign program is more serious than that of a malware.…”

Section: Motivations Of One-class Classification In Malware Detectionmentioning

confidence: 99%

Malware detection using bilayer behavior abstraction and improved one-class support vector machines

Miao

Liu

Cao

et al. 2015

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Malware detection is one of the most challenging problems in computer security. Recently, methods based on machine learning are very popular in unknown and variant malware detection. In order to achieve a successful learning, extracting discriminant and stable features is the most important prerequisite. In this paper, we propose a bilayer behavior abstraction method based on semantic analysis of dynamic API sequences. Operations on sensitive system resources and complex behaviors are abstracted in an interpretable way at different semantic layers. At the lower layer, raw API calls are combined to abstract low-layer behaviors via data dependency analysis. At the higher layer, low-layer behaviors are further combined to construct more complex high-layer behaviors with good interpretability. The extracted low-layer and high-layer behaviors are finally embedded into a highdimensional vector space. Hence, the abstracted behaviors can be directly used by many popular machine learning algorithms. Besides, to tackle the problem that benign programs are not adequately sampled or malware and benign programs are severely imbalanced, an improved one-class support vector machine (OC-SVM) named OC-SVM-Neg is proposed which makes use of the available negative samples. Experimental results show that the proposed feature extraction B Jiachen Liu method with OC-SVM-Neg outperforms binary classifiers on the false alarm rate and the generalization ability.

show abstract

Section: Motivations Of One-class Classification In Malware Detectionmentioning

confidence: 99%

Malware detection using bilayer behavior abstraction and improved one-class support vector machines

Miao

Liu

Cao

et al. 2015

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…The work [27] proposes a statistical approach to combine different features of the alerts, such as the number of occurrences, the frequency of the signatures, and prior knowledge. The metrics are computed and compared to thresholds with the aim of determining whether an alert is a false positive.…”

Section: Filteringmentioning

confidence: 99%

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Cotroneo

Paudice²,

Pecchia

2016

Future Generation Computer Systems

View full text Add to dashboard Cite

“…On the one hand, a false positive is an alert generated by one or more sensors that does not actually correspond to an existing threat attempt. This situation can be due to an inherent limitation in the sensor's capabilities, or perhaps a failure in the detection algorithms (e.g., because of too much data to be analysed or detection rules at an inappropriate level of specificity required to detect more or less threats [10]). This type of alert is classified as an Honest False Positive (HFP), since it is a detection error but the sensor exhibits an honest behaviour.…”

Section: Sensor Behaviourmentioning

confidence: 99%

Trustworthy placements: Improving quality and resilience in collaborative attack detection

et al. 2014

View full text Add to dashboard Cite

In distributed and collaborative attack detection systems decisions are made on the basis of the events reported by many sensors, e.g., Intrusion Detection Systems placed across various network locations. In some cases such events originate at locations over which we have little control, for example because they belong to an organisation that shares information with us. Blindly accepting such reports as real encompasses several risks, as sensors might be dishonest, unreliable or simply compromised. In these situations trust plays an important role in deciding whether alerts should be believed or not. In this work we present an approach to maximise the quality of the information gathered in such systems and the resilience against dishonest behaviours. We introduce the notion of trust diversity amongst sensors and argue that detection configurations with such a property perform much better in many respects. Using reputation as a proxy for trust, we introduce an adaptive scheme to dynamically reconfigure the network of detection sensors. Experiments confirm an overall increase both in detection quality and resilience against compromise and misbehaviour.

show abstract

Reducing false positives in intrusion detection systems

Cited by 81 publications

References 4 publications

Malware detection using bilayer behavior abstraction and improved one-class support vector machines

Malware detection using bilayer behavior abstraction and improved one-class support vector machines

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Trustworthy placements: Improving quality and resilience in collaborative attack detection

Contact Info

Product

Resources

About