APHRODITE: an Anomaly-based Architecture for False Positive Reduction

We present APHRODITE, an architecture designed to reduce false positives in network intrusion detection systems. APHRODITE works by detecting anomalies in the output traffic, and by correlating them with the alerts raised by the NIDS working on the input traffic. Benchmarks show a substantial reduction of false positives and that APHRODITE is effective also after a "quick setup", i.e. in the realistic case in which it has not been "trained" and set up optimall

ATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

A Synergetic Pattern Matching Method Based-on DHT Structure for Intrusion Detection in Large-scale Network

AbstractResearch in network security, with the attacks becoming more frequent, increasing complexity means, for the large-scale network intrusion detection, this paper presents a warning by analyzing the behavior of the log, the contents of the relevant association, through the DHT(Distributed Hash Table) distributed architecture, the Collabarative matching, fusion, and ultimately determine the method of attack paths. First, by improving the classical Apriori algorithm, greatly improving the efficiency of the association. At the same time, through the behavior pattern matching algorithms to extract information about the behavior of the alert and the behavior sequence elements to match the template, and through the right path to finally determine the value of the threat of the network path. After the design of a DHT network, the distributed collaborative match the path used to find complex network attacks. Finally, the overall algorithm flow, proposed a complete threat detection system architecture

A log mining approach for process monitoring in SCADA

SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance

Organizations use intrusion detection systems (IDSes) to identify harmful activity among millions of computer network events. Cybersecurity analysts review IDS alarms to verify whether malicious activity occurred and to take remedial action. However, IDS systems exhibit high false alarm rates. This study examines the impact of IDS false alarm rate on human analyst sensitivity (probability of detection), precision (positive predictive value), and time on task when evaluating IDS alarms. A controlled experiment was conducted with participants divided into two treatment groups, 50% IDS false alarm rate and 86% false alarm rate, who classified whether simulated IDS alarms were true or false alarms. Results show statistically significant differences in precision and time on task. The median values for the 86% false alarm rate group were 47% lower precision and 40% slower time on task than the 50% false alarm rate group. No significant difference in analyst sensitivity was observed.Comment: 8 pages, 4 figure

Data Mining: How Popular Is It?

Data Mining is a process used in the industry, to facilitate decision making. As the name implies, large volumes of data is mined or sifted, to find useful information for decision making. With the advent of E-business, Data Mining has become more important to practitioners. The purpose of this paper is to find out the importance of Data Mining by looking at the different application areas that have used data mining for decision making