@inproceedings { 163,
	title = {Finding The Needle: Suppression of False Alarms in Large Intrusion Detection Data Sets},
	journal = {Dependable, Autonomic, Secure and Trusted Computing Track of The 7th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC-09)},
	year = {2009},
	month = {29/08/2009},
	publisher = {IEEE Computer Society},
	organization = {IEEE Computer Society},
	address = {Vancouver},
	abstract = {Managed security service providers (MSSPs) must
manage and monitor thousands of intrusion detection sensors.
The sensors often vary by manufacturer and software version,
making the problem of creating generalized tools to separate
true attacks from false positives particularly difficult. Often
times it is useful from an operations perspective to know if
a particular sensor is acting out of character. We propose a
solution to this problem using anomaly detection techniques
over the set of alarms produced by the sensors. Similar to the
manner in which an anomaly based sensor detects deviations
from normal user or system behavior, we establish the baseline
behavior of a sensor and detect deviations from this baseline.
We show that departures from this profile by a sensor have
a high probability of being artifacts of genuine attacks. We
evaluate a set of time-based Markovian heuristics against a
simple compression algorithm and show that we are able
to detect the existence of all attacks which were manually
identified by security personnel, drastically reduce the number
of false positives, and identify attacks which were overlooked
during manual evaluation.},
	keywords = {intrusion detection, anomaly detection, markov chain, hidden markov model},
	author = {James Treinen and Ramakrishna Thurimella}
}