Lecture Notes in Computer Science 5185

More documents

Recommendations

Info

140 G.C. Tjhai et al. site connected to the Internet. The generated data set, which included a number of injected attacks at well defined points, were presented as tcpdump data, Basic Security Model (BSM), Windows NT audit data, process and file system information. The data were then used to evaluate the detection performance of signature-based as well as anomaly-based IDSs [14]. Although this data set appears to be one of the most preferred evaluation data sets used in IDS research and had addressed some of the concerns raised in the IDS research community, it received in-depth criticisms on how this data had been collected. The degree to which the stimulated background traffic is representative of real traffic is questionable, especially when it deals with the reservation about the value of the assessment made to explore the problem of the false alarm rate in real network traffic [16]. Significantly, Mahoney and Chan [15] also critically discuss how this data can be further used to evaluate the performance of network anomaly detector. Although the DARPA IDS evaluation dataset can help to evaluate the detection (true positive) performance on a network, it is doubtful whether it can be used to evaluate false positive performance. In fact, the time span between the dataset creation and its application to the current research has resulted in another reservation about the degree to which the data is representative of modern traffic. However, despite all of these criticisms, the dataset still remains of interest and appears to be the largest publicly available benchmark for IDS researchers [16]. Moreover, it is also significant that an assessment of the DARPA dataset is carried out to further investigate the potential false alarms generated from this synthetic network traffic. It is expected that the result of this analysis could describe or provide a general picture of the false alert issue faced by the existing IDSs. The main objective of the experiment described in this paper is to explore the issue of false alarm generation on the synthesized 1999 DARPA evaluation dataset. An investigation is also conducted to critically scrutinize the impact of false alarms on the IDS detection rate. Section 2 presents a number of related studies carried out to evaluate the performance of IDS. Section 3 discusses the methodology of the experiment. The findings are presented in section 4 and lastly, followed by conclusions in section 5. 2 Related Works As for IDS performance, a study has also been conducted to further assess the effectiveness of Snort’s detection against 1998 DARPA dataset evaluation [8]. Snort is an open source and signature-based IDS [9]. It is a lightweight IDS which can be easily deployed and configured by system administrators who need to implement a specific security solution in a short amount of time [17]. In other words, Snort is a flexible programming tool which enables the users to write their own detection rules rather than a static IDS tool. The evaluation was performed to appraise the usefulness of DARPA as IDS evaluation dataset and the effectiveness of the Snort ruleset against the dataset. Surprisingly, the result showed that Snort’s detection performance was very low and the system
The Problem of False Alarms 141 produced an unacceptably high rate of false positives, which rose above the 50% ROC’s guess line rate. Unfortunately, no further explanation was given to describe the nature of false alarms. Interestingly, a paper by Kayacik and Zincir-Heywood [11] discussed the benefit of implementing intrusion detection systems working together with a firewall. The paper had demonstrated a benchmark evaluation of three security management tools (Snort, Pakemon and Cisco IOS firewall). Significantly, the result showed that none of the tools could detect all the attacks. In fact, Snort IDS was found to have produced 99% of false alarm rate, the highest rate compared to the other IDS (Pakemon). The result had also revealed that Cisco IOS had performed well and raised only 68% of false alarm rate. This has suggested the implementation of a firewall-based detection,whichinturndecreasestheattack traffic being passed to the IDSs. Apart from the two studies above, which focused upon Snort performance, there are a large number of studies that have used the 1998 and 1999 DARPA dataset to evaluate the performance of IDSs. One of those studies is that of Lippmann et al [13], which managed to demonstrate the need for developing techniques to find new attacks instead of extending existing rule-based approach. The result of the evaluation demonstrated that current research systems can reliably detect many existing attacks with low false alarm rate as long as examples of these attacks are available for training. In actual fact, the research systems missed many dangerous new attacks when the attack mechanisms differ from the old attacks. Interestingly, a similar paper had also been written by Lippmann et al [14], focusing upon the performance of different IDS types, such as host-based, anomaly-based and forensic-based in detecting novel and stealthy attacks. The result of this analysis had proposed a number of practical approaches applied to improve the performance of the existing systems. Alharby and Imai [2] had also utilised 1999 DARPA dataset to evaluate the performance of their proposed alarm reduction system. In order to obtain the normal alarm model, alarm sequence is collected by processing the alerts generated by Snort from the first and third weeks (free-attacks traffic) of DARPA 1999 dataset. From these alarm sequences, the sequential patterns are then extracted to filter and reduce the false alarms. The same dataset (using the first and third weeks of the 1999 DARPA dataset) had also been applied by Bolzoni and Etalle [7] to train and evaluate the performance of the proposed false positive reduction system. Similarly, Alshammari et al [3] had also used such data to experiment their neural network based alarm reduction system with the different background knowledge set. The final result has proved that the proposed technique has significantly reduced the number of false alarms without requiring much background knowledge sets. Unlike other papers discussed above, our experiment focuses specifically upon the issue of false alarms, rather than the performance of IDS (true alarms) in general. In this study, we propose to investigate in a more detailed manner some of the shortcomings that caused the generation of false alarms.
Page 1 and 2:
Lecture Notes in Computer Science 5
Page 3 and 4:
Volume Editors Steven Furnell Unive
Page 5 and 6:
Program Committee General Chairpers
Page 7 and 8:
Invited Lecture Table of Contents B
Page 9 and 10:
Biometrics - How to Put to Use and
Page 11 and 12:
Biometrics-HowtoPuttoUseandHowNotat
Page 13 and 14:
Biometrics-HowtoPuttoUseandHowNotat
Page 15 and 16:
7 Outlook Biometrics-HowtoPuttoUsea
Page 17 and 18:
A Map of Trust between Trading Part
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Implementation of a TCG-Based Trust
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
A Model for Trust Metrics Analysis
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Patterns and Pattern Diagrams for A
Page 49 and 50:
Page 51 and 52:
Policy Model AC model Patterns and
Page 53 and 54:
Broker Investor Doctor Patient 1
Page 55 and 56:
Page 57 and 58:
A Spatio-temporal Access Control Mo
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
A Mechanism for Ensuring the Validi
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Multilateral Secure Cross-Community
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Fairness Emergence through Simple R
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98: Fairness Emergence through Simple R
Page 99 and 100: Combining Trust and Reputation Mana
Page 109 and 110: Controlling Usage in Business Proce
Page 123 and 124: A Semantics Rules for POLPA-Control
Page 127 and 128: Spatiotemporal Connectives for Secu
Page 133 and 134: 5.2 Expressiveness Spatiotemporal C
Page 135 and 136: Acknowledgement Spatiotemporal Conn
Page 137 and 138: BusiROLE: A Model for Integrating B
Page 147: The Problem of False Alarms: Evalua
Page 151 and 152: The Problem of False Alarms 143 To
Page 153 and 154: The Problem of False Alarms 145 mad
Page 155 and 156: The Problem of False Alarms 147 Des
Page 157 and 158: The Problem of False Alarms 149 3.
Page 159 and 160: A Generic Intrusion Detection Game
Page 171 and 172: On the Design Dilemma in Dining Cry
Page 181 and 182: Obligations: Building a Bridge betw
Page 193 and 194: A User-Centric Protocol for Conditi
Page 199 and 200:
Identity Escrow: A User-Centric Pro
Page 201 and 202:
A User-Centric Protocol for Conditi
Page 203 and 204:
Preservation of Privacy in Thwartin
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
Page 213:
Agudo, Isaac 28 Aich, Subhendu 118
show all

Lecture Notes in Computer Science 5185

Create successful ePaper yourself

Delete template?

Save as template?