A New Method for Filtering IDS False Positives with Semi-supervised Classification
Constructing alert classifiers is an efficient way to filter IDS false positives. Classifiers built with supervised classification technique require large amounts of labeled training alerts which are difficult and expensive to prepare. This paper proposes to use semi-supervised learning technique to build alert classification model to reduce the number of needed labeled training alerts. Experiments conducted on the DARPA 1999 dataset have demonstrated that the semi-supervised alert classification model can improve the classification performance dramatically, especially when the labeled alert training dataset is small. As a result, the feasibility of deploying alert classifier for filtering false positives is enhanced.
Keywordsintrusion detection system false positive semi-supervised learning EM algorithm
Unable to display preview. Download preview PDF.
- 3.Bildoy, J., Clausen, S., Klausen, T.E.: Classifying Alerts in Multi-tier Intrusion Detection Systems. Master, Agder University College, Arendal (2004)Google Scholar
- 4.Chapelle, O., Scholkopf, B., Zien, A.: Semi-supervised Learning. MIT Press, Cambridge (2006)Google Scholar
- 5.Fatima, L.S., Mezrioui, A.: Improving the Quality of Alerts with Correlation in Intrusion Detection. International Journal of Computer Science and Network Security 7(12) (2007)Google Scholar
- 6.Nehinbe, J.O.: Automated Method for Reducing False Positives. In: Proc. of 2010 Int. Conf. on Intelligent Systems, Modelling and Simulation, pp. 54–59 (2010)Google Scholar
- 8.Liu, H., Yu, L.: Toward Integrating Feature Selection Algorithms for Classification and Cluster. IEEE Transactions on Knowledge and Data Engineering 17(3), 491–502 (2005)Google Scholar
- 9.Nigam, K.: Using Unlabeled Data to Improve Text Classification. PhD Thesis, Carnegie Mellon University, Pittsburgh, PA, USA (2001)Google Scholar
- 11.Gong, J., Mei, H.B., Ding, Y., Wei, D.H.: A multi-feature Correlation Redundance Elimination of Intrusion Event. Journal of Southeast University 35(3), 366–371 (2005)Google Scholar