Skip to main content
SpringerLink
Log in

The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset

  • Conference paper
Trust, Privacy and Security in Digital Business (TrustBus 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5185))

Abstract

It is a common issue that an Intrusion Detection System (IDS) might generate thousand of alerts per day. The problem has got worse by the fact that IT infrastructure have become larger and more complicated, the number of generated alarms that need to be reviewed can escalate rapidly, making the task very difficult to manage. Moreover, a significant problem facing current IDS technology now is the high level of false alarms. The main purpose of this paper is to investigate the extent of false alarms problem in Snort, using the 1999 DARPA IDS evaluation dataset. A thorough investigation has been carried out to assess the accuracy of alerts generated by Snort IDS. Significantly, this experiment has revealed an unexpected result; with 69% of total generated alerts are considered to be false alarms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 74.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adoko, What Are Web Bugs? (2008) (date visited: September 7, 2007), http://www.adoko.com/webbugs.html

  2. Alharby, A., Imai, H.: IDS False alarm reduction using continuous and discontinuous patterns. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)

    Google Scholar 

  3. Alshammari, R., Sonamthiang, S., Teimouri, M., Riordan, D.: Using Neuro-Fuzzy Approach to Reduce False Positive Alerts. In: Communication Networks and Services Research, 2007. Fifth Annual Conference. CNSR 2007, pp. 345–349 (2007)

    Google Scholar 

  4. Anaesthetist, The magnificent ROC (2007) (date visited: August 17, 2007), http://www.anaesthetist.com/mnm/stats/roc/Findex.htm

  5. Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000) (date visited: May 10, 2007), http://www.scs.carleton.ca/~soma/id-2007w/readings/axelsson-base-rate.pdf

    Article  MathSciNet  Google Scholar 

  6. BASE, Basic Analysis and Security Engine (BASE) Project (2007) (date visited: April 25, 2007), http://base.secureideas.net/

  7. Bolzoni, D. and Etalle, S.: APHRODITE: an Anomaly-based Architecture for False Positive Reduction (2006) (date visited: November 7, 2006), http://arxiv.org/PScache/cs/pdf/0604/0604026.pdf

  8. Brugger, S. T. and Chow, J.: An Assessment of the DARPA IDS Evaluation Dataset Using Snort (2005) (date visited: May 2, 2007), http://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdf

  9. Caswell, B., Roesch, M.: Snort: The open source network intrusion detection system (2004) (date visited: October 3, 2006), http://www.snort.org/

  10. Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)

    Google Scholar 

  11. Kayacik, G.H., Zincir-Heywood, A.N.: Using Intrusion Detection Systems with a Firewall: Evaluation on DARPA 99 Dataset. NIMS Technical Report #062003 (June 2003) (date visited: September 9, 2007), http://projects.cs.dal.ca/projectx/files/NIMS06-2003.pdf

  12. Lincoln Lab, DARPA Intrusion Detection Evaluation (2001) (date visited: May 15, 2007), http://www.ll.mit.edu/IST/ideval/

  13. Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX) (1999) (date visited: July 8, 2007), http://www.ll.mit.edu/IST/ideval/pubs/2000/discex00_paper.pdf

  14. Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.J.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000) (date visited: June 20, 2007), http://ngi.ll.mit.edu/IST/ideval/pubs/2000/1999Eval-ComputerNetworks2000.pdf

    Article  Google Scholar 

  15. Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) (date visited: June 22, 2007), http://cs.fit.edu/~mmahoney/paper7.pdf

    Google Scholar 

  16. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Information System Security 3(4), 262–294 (2000) (date visited: June 19, 2007), http://www.cc.gatech.edu/~wenke/ids-readings/mchugh_ll_critique.pdf

    Article  Google Scholar 

  17. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 7-12 (1999)

    Google Scholar 

  18. Ruskey, F., Weston, M.: A Survey of Venn Diagrams (2005) (date visited: October 10, 2007), http://www.combinatorics.org/Surveys/ds5/VennEJC.html

  19. Smith, R.: The Web Bug FAQ (1999) (date visited: August 15, 2007), http://w2.eff.org/Privacy/Marketing/web_bug.html

  20. Snort, INFO web bug 1x1 gif attempt (2007) (date visited: August 9, 2007), http://snort.org/pub-bin/sigs.cgi?sid=2925

  21. Tjhai, G., Papadaki, M., Furnell, S., Clarke, N.: Investigating the problem of IDS false alarms: An experimental study using Snort. In: IFIP SEC 2008, Milan, Italy, September 8-10 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Information Security & Network Research, University of Plymouth Email: info@cisnr.org, Plymouth, United Kingdom

    Gina C. Tjhai, Maria Papadaki, Steven M. Furnell & Nathan L. Clarke

  2. School of Computer and Information Science, Edith Cowan University, Perth, Western Australia

    Steven M. Furnell & Nathan L. Clarke

Authors
  1. Gina C. Tjhai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maria Papadaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steven M. Furnell
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nathan L. Clarke
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Steven Furnell Sokratis K. Katsikas Antonio Lioy

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L. (2008). The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset. In: Furnell, S., Katsikas, S.K., Lioy, A. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2008. Lecture Notes in Computer Science, vol 5185. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85735-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-85735-8_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-85734-1

  • Online ISBN: 978-3-540-85735-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation