Abstract
It is a common issue that an Intrusion Detection System (IDS) might generate thousand of alerts per day. The problem has got worse by the fact that IT infrastructure have become larger and more complicated, the number of generated alarms that need to be reviewed can escalate rapidly, making the task very difficult to manage. Moreover, a significant problem facing current IDS technology now is the high level of false alarms. The main purpose of this paper is to investigate the extent of false alarms problem in Snort, using the 1999 DARPA IDS evaluation dataset. A thorough investigation has been carried out to assess the accuracy of alerts generated by Snort IDS. Significantly, this experiment has revealed an unexpected result; with 69% of total generated alerts are considered to be false alarms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adoko, What Are Web Bugs? (2008) (date visited: September 7, 2007), http://www.adoko.com/webbugs.html
Alharby, A., Imai, H.: IDS False alarm reduction using continuous and discontinuous patterns. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)
Alshammari, R., Sonamthiang, S., Teimouri, M., Riordan, D.: Using Neuro-Fuzzy Approach to Reduce False Positive Alerts. In: Communication Networks and Services Research, 2007. Fifth Annual Conference. CNSR 2007, pp. 345–349 (2007)
Anaesthetist, The magnificent ROC (2007) (date visited: August 17, 2007), http://www.anaesthetist.com/mnm/stats/roc/Findex.htm
Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000) (date visited: May 10, 2007), http://www.scs.carleton.ca/~soma/id-2007w/readings/axelsson-base-rate.pdf
BASE, Basic Analysis and Security Engine (BASE) Project (2007) (date visited: April 25, 2007), http://base.secureideas.net/
Bolzoni, D. and Etalle, S.: APHRODITE: an Anomaly-based Architecture for False Positive Reduction (2006) (date visited: November 7, 2006), http://arxiv.org/PScache/cs/pdf/0604/0604026.pdf
Brugger, S. T. and Chow, J.: An Assessment of the DARPA IDS Evaluation Dataset Using Snort (2005) (date visited: May 2, 2007), http://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdf
Caswell, B., Roesch, M.: Snort: The open source network intrusion detection system (2004) (date visited: October 3, 2006), http://www.snort.org/
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)
Kayacik, G.H., Zincir-Heywood, A.N.: Using Intrusion Detection Systems with a Firewall: Evaluation on DARPA 99 Dataset. NIMS Technical Report #062003 (June 2003) (date visited: September 9, 2007), http://projects.cs.dal.ca/projectx/files/NIMS06-2003.pdf
Lincoln Lab, DARPA Intrusion Detection Evaluation (2001) (date visited: May 15, 2007), http://www.ll.mit.edu/IST/ideval/
Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX) (1999) (date visited: July 8, 2007), http://www.ll.mit.edu/IST/ideval/pubs/2000/discex00_paper.pdf
Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.J.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000) (date visited: June 20, 2007), http://ngi.ll.mit.edu/IST/ideval/pubs/2000/1999Eval-ComputerNetworks2000.pdf
Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) (date visited: June 22, 2007), http://cs.fit.edu/~mmahoney/paper7.pdf
McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Information System Security 3(4), 262–294 (2000) (date visited: June 19, 2007), http://www.cc.gatech.edu/~wenke/ids-readings/mchugh_ll_critique.pdf
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 7-12 (1999)
Ruskey, F., Weston, M.: A Survey of Venn Diagrams (2005) (date visited: October 10, 2007), http://www.combinatorics.org/Surveys/ds5/VennEJC.html
Smith, R.: The Web Bug FAQ (1999) (date visited: August 15, 2007), http://w2.eff.org/Privacy/Marketing/web_bug.html
Snort, INFO web bug 1x1 gif attempt (2007) (date visited: August 9, 2007), http://snort.org/pub-bin/sigs.cgi?sid=2925
Tjhai, G., Papadaki, M., Furnell, S., Clarke, N.: Investigating the problem of IDS false alarms: An experimental study using Snort. In: IFIP SEC 2008, Milan, Italy, September 8-10 (2008)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L. (2008). The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset. In: Furnell, S., Katsikas, S.K., Lioy, A. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2008. Lecture Notes in Computer Science, vol 5185. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85735-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-85735-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85734-1
Online ISBN: 978-3-540-85735-8
eBook Packages: Computer ScienceComputer Science (R0)