Lecture Notes in Computer Science 5185
Lecture Notes in Computer Science 5185
Lecture Notes in Computer Science 5185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Problem of False Alarms 141<br />
produced an unacceptably high rate of false positives, which rose above the<br />
50% ROC’s guess l<strong>in</strong>e rate. Unfortunately, no further explanation was given to<br />
describe the nature of false alarms.<br />
Interest<strong>in</strong>gly, a paper by Kayacik and Z<strong>in</strong>cir-Heywood [11] discussed the benefit<br />
of implement<strong>in</strong>g <strong>in</strong>trusion detection systems work<strong>in</strong>g together with a firewall.<br />
The paper had demonstrated a benchmark evaluation of three security management<br />
tools (Snort, Pakemon and Cisco IOS firewall). Significantly, the result<br />
showed that none of the tools could detect all the attacks. In fact, Snort IDS<br />
was found to have produced 99% of false alarm rate, the highest rate compared<br />
to the other IDS (Pakemon). The result had also revealed that Cisco IOS had<br />
performed well and raised only 68% of false alarm rate. This has suggested the<br />
implementation of a firewall-based detection,which<strong>in</strong>turndecreasestheattack<br />
traffic be<strong>in</strong>g passed to the IDSs.<br />
Apart from the two studies above, which focused upon Snort performance,<br />
there are a large number of studies that have used the 1998 and 1999 DARPA<br />
dataset to evaluate the performance of IDSs. One of those studies is that of<br />
Lippmann et al [13], which managed to demonstrate the need for develop<strong>in</strong>g<br />
techniques to f<strong>in</strong>d new attacks <strong>in</strong>stead of extend<strong>in</strong>g exist<strong>in</strong>g rule-based approach.<br />
The result of the evaluation demonstrated that current research systems can reliably<br />
detect many exist<strong>in</strong>g attacks with low false alarm rate as long as examples<br />
of these attacks are available for tra<strong>in</strong><strong>in</strong>g. In actual fact, the research systems<br />
missed many dangerous new attacks when the attack mechanisms differ from the<br />
old attacks. Interest<strong>in</strong>gly, a similar paper had also been written by Lippmann et<br />
al [14], focus<strong>in</strong>g upon the performance of different IDS types, such as host-based,<br />
anomaly-based and forensic-based <strong>in</strong> detect<strong>in</strong>g novel and stealthy attacks. The<br />
result of this analysis had proposed a number of practical approaches applied to<br />
improve the performance of the exist<strong>in</strong>g systems.<br />
Alharby and Imai [2] had also utilised 1999 DARPA dataset to evaluate the<br />
performance of their proposed alarm reduction system. In order to obta<strong>in</strong> the<br />
normal alarm model, alarm sequence is collected by process<strong>in</strong>g the alerts generated<br />
by Snort from the first and third weeks (free-attacks traffic) of DARPA<br />
1999 dataset. From these alarm sequences, the sequential patterns are then extracted<br />
to filter and reduce the false alarms. The same dataset (us<strong>in</strong>g the first<br />
and third weeks of the 1999 DARPA dataset) had also been applied by Bolzoni<br />
and Etalle [7] to tra<strong>in</strong> and evaluate the performance of the proposed false positive<br />
reduction system. Similarly, Alshammari et al [3] had also used such data<br />
to experiment their neural network based alarm reduction system with the different<br />
background knowledge set. The f<strong>in</strong>al result has proved that the proposed<br />
technique has significantly reduced the number of false alarms without requir<strong>in</strong>g<br />
much background knowledge sets.<br />
Unlike other papers discussed above, our experiment focuses specifically upon<br />
the issue of false alarms, rather than the performance of IDS (true alarms) <strong>in</strong><br />
general. In this study, we propose to <strong>in</strong>vestigate <strong>in</strong> a more detailed manner some<br />
of the shortcom<strong>in</strong>gs that caused the generation of false alarms.