Skip to Content
Home » Biblio

Finding The Needle: Suppression of False Alarms in Large Intrusion Detection Data Sets

Publication Type  Conference Paper
Year of Publication  2009
Authors  James Treinen; Ramakrishna Thurimella
Conference Name  Dependable, Autonomic, Secure and Trusted Computing Track of The 7th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC-09)
Conference Start Date  29/08/2009
Publisher  IEEE Computer Society
Conference Location  Vancouver
Key Words  intrusion detection; anomaly detection; markov chain; hidden markov model
Abstract  

Managed security service providers (MSSPs) must
manage and monitor thousands of intrusion detection sensors.
The sensors often vary by manufacturer and software version,
making the problem of creating generalized tools to separate
true attacks from false positives particularly difficult. Often
times it is useful from an operations perspective to know if
a particular sensor is acting out of character. We propose a
solution to this problem using anomaly detection techniques
over the set of alarms produced by the sensors. Similar to the
manner in which an anomaly based sensor detects deviations
from normal user or system behavior, we establish the baseline
behavior of a sensor and detect deviations from this baseline.
We show that departures from this profile by a sensor have
a high probability of being artifacts of genuine attacks. We
evaluate a set of time-based Markovian heuristics against a
simple compression algorithm and show that we are able
to detect the existence of all attacks which were manually
identified by security personnel, drastically reduce the number
of false positives, and identify attacks which were overlooked
during manual evaluation.
Export  Tagged XML BibTex