A New Method for Filtering IDS False Positives with Semi-supervised Classification

  • Minghua Zhang
  • Haibin Mei
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7389)


Constructing alert classifiers is an efficient way to filter IDS false positives. Classifiers built with supervised classification technique require large amounts of labeled training alerts which are difficult and expensive to prepare. This paper proposes to use semi-supervised learning technique to build alert classification model to reduce the number of needed labeled training alerts. Experiments conducted on the DARPA 1999 dataset have demonstrated that the semi-supervised alert classification model can improve the classification performance dramatically, especially when the labeled alert training dataset is small. As a result, the feasibility of deploying alert classifier for filtering false positives is enhanced.


intrusion detection system false positive semi-supervised learning EM algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Shin, M.S., Kim, E.H., Ryu, K.H.: False Alarm Classification Model for Network-Based Intrusion Detection System. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 259–265. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bildoy, J., Clausen, S., Klausen, T.E.: Classifying Alerts in Multi-tier Intrusion Detection Systems. Master, Agder University College, Arendal (2004)Google Scholar
  4. 4.
    Chapelle, O., Scholkopf, B., Zien, A.: Semi-supervised Learning. MIT Press, Cambridge (2006)Google Scholar
  5. 5.
    Fatima, L.S., Mezrioui, A.: Improving the Quality of Alerts with Correlation in Intrusion Detection. International Journal of Computer Science and Network Security 7(12) (2007)Google Scholar
  6. 6.
    Nehinbe, J.O.: Automated Method for Reducing False Positives. In: Proc. of 2010 Int. Conf. on Intelligent Systems, Modelling and Simulation, pp. 54–59 (2010)Google Scholar
  7. 7.
    Li, H., Hu, Z., Wu, Y., Wu, F.: Behavior Modeling and Abnormality Detection Based on Demi-supervised Learning Method. Journal of Software 18(3), 527–537 (2007)zbMATHCrossRefGoogle Scholar
  8. 8.
    Liu, H., Yu, L.: Toward Integrating Feature Selection Algorithms for Classification and Cluster. IEEE Transactions on Knowledge and Data Engineering 17(3), 491–502 (2005)Google Scholar
  9. 9.
    Nigam, K.: Using Unlabeled Data to Improve Text Classification. PhD Thesis, Carnegie Mellon University, Pittsburgh, PA, USA (2001)Google Scholar
  10. 10.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-line Intrusion Detection Evaluation. Computer Networks 4(4), 579–595 (2000)CrossRefGoogle Scholar
  11. 11.
    Gong, J., Mei, H.B., Ding, Y., Wei, D.H.: A multi-feature Correlation Redundance Elimination of Intrusion Event. Journal of Southeast University 35(3), 366–371 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Minghua Zhang
    • 1
  • Haibin Mei
    • 1
  1. 1.Information CollegeShanghai Ocean UniversityShanghaiChina

Personalised recommendations