40 research outputs found
APHRODITE: an Anomaly-based Architecture for False Positive Reduction
We present APHRODITE, an architecture designed to reduce false positives in
network intrusion detection systems. APHRODITE works by detecting anomalies in
the output traffic, and by correlating them with the alerts raised by the NIDS
working on the input traffic. Benchmarks show a substantial reduction of false
positives and that APHRODITE is effective also after a "quick setup", i.e. in
the realistic case in which it has not been "trained" and set up optimall
ATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems
We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%
A Synergetic Pattern Matching Method Based-on DHT Structure for Intrusion Detection in Large-scale Network
AbstractResearch in network security, with the attacks becoming more frequent, increasing complexity means, for the large-scale network intrusion detection, this paper presents a warning by analyzing the behavior of the log, the contents of the relevant association, through the DHT(Distributed Hash Table) distributed architecture, the Collabarative matching, fusion, and ultimately determine the method of attack paths. First, by improving the classical Apriori algorithm, greatly improving the efficiency of the association. At the same time, through the behavior pattern matching algorithms to extract information about the behavior of the alert and the behavior sequence elements to match the template, and through the right path to finally determine the value of the threat of the network path. After the design of a DHT network, the distributed collaborative match the path used to find complex network attacks. Finally, the overall algorithm flow, proposed a complete threat detection system architecture
A log mining approach for process monitoring in SCADA
SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow
ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems
We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%
A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance
Organizations use intrusion detection systems (IDSes) to identify harmful
activity among millions of computer network events. Cybersecurity analysts
review IDS alarms to verify whether malicious activity occurred and to take
remedial action. However, IDS systems exhibit high false alarm rates. This
study examines the impact of IDS false alarm rate on human analyst sensitivity
(probability of detection), precision (positive predictive value), and time on
task when evaluating IDS alarms. A controlled experiment was conducted with
participants divided into two treatment groups, 50% IDS false alarm rate and
86% false alarm rate, who classified whether simulated IDS alarms were true or
false alarms. Results show statistically significant differences in precision
and time on task. The median values for the 86% false alarm rate group were 47%
lower precision and 40% slower time on task than the 50% false alarm rate
group. No significant difference in analyst sensitivity was observed.Comment: 8 pages, 4 figure
Data Mining: How Popular Is It?
Data Mining is a process used in the industry, to facilitate decision making. As the name implies, large volumes of data is mined or sifted, to find useful information for decision making. With the advent of E-business, Data Mining has become more important to practitioners. The purpose of this paper is to find out the importance of Data Mining by looking at the different application areas that have used data mining for decision making