Skip to main content
SpringerLink
Log in

Intelligent Alarm Filter Using Knowledge-Based Alert Verification in Network Intrusion Detection

  • Conference paper
Foundations of Intelligent Systems (ISMIS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 7661))

Included in the following conference series:

Abstract

Network intrusions have become a big challenge to current network environment. Thus, network intrusion detection systems (NIDSs) are being widely deployed in various networks aiming to detect different kinds of network attacks (e.g., Trojan, worms). However, in real settings, a large number of alarms can be generated during the detection procedure, which greatly decrease the effectiveness of these intrusion detection systems. To mitigate this problem, we advocate that constructing an alarm filter is a promising solution. In this paper, we design and develop an intelligent alarm filter to help filter out NIDS alarms by means of knowledge-based alert verification. In particular, our proposed method of knowledge-based alert verification employs a rating mechanism in terms of expert knowledge to classify incoming NIDS alarms. We implemented and evaluated this intelligent knowledge-based alarm filter in a network environment. The experimental results show that the developed alarm filter can accurately filter out a number of NIDS alarms and achieve a better outcome.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security, 186–205 (August 2000)

    Google Scholar 

  2. Symantec Corp., Internet Security Threat Report, vol. 16, http://www.symantec.com/business/threatreport/index.jsp (accessed on May 26, 2012)

  3. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  4. Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS), pp. 800–894. NIST Special Publication (2007)

    Google Scholar 

  5. Vigna, G., Kemmerer, R.A.: NetSTAT: a Network-based Intrusion Detection Approach. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 25–34. IEEE Press, New York (1998)

    Google Scholar 

  6. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proceedings of 13th Large Installation System Administration Conference (LISA), pp. 229–238. USENIX Association Berkeley, CA (1999)

    Google Scholar 

  7. Valdes, A., Anderson, D.: Statistical Methods for Computer Usage Anomaly Detection Using NIDES. Technical report, SRI International (January 1995)

    Google Scholar 

  8. Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 259–267 (1998)

    Google Scholar 

  9. Ptacek, T.H., Newsham, T.N.: Insertion, Evation, and Denial of Service: Eluding Network Intrusion Detection. Technical Report, Secure Networks (January 1998)

    Google Scholar 

  10. McHugh, J.: Testing Intrusion Detection Systems: a Critique of the 1998 and 1999 Darpa Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information System Security, 262–294 (2000)

    Google Scholar 

  11. Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating Intrusion Detection Systems: the 1998 DARPA off-line Intrusion Detection Evaluation. In: Proceedings of DARPA Information Survivability Conference and Exposition, pp. 12–26 (2000)

    Google Scholar 

  12. Meng, Y., Kwok, L.-F.: Adaptive False Alarm Filter Using Machine Learning in Intrusion Detection. In: Wang, Y., Li, T. (eds.) Practical Applications of Intelligent Systems. AISC, vol. 124, pp. 573–584. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  13. Snort-The Open Source Network Intrusion Detection System, http://www.snort.org/ (accessed on April 25, 2012)

  14. Sommer, R., Paxson, V.: Outside the Closed World: On using Machine Learning for Network Intrusion Detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316 (2010)

    Google Scholar 

  15. Kruegel, C., Robertson, W.: Alert Verification: Determining the Success of Intrusion Attempts. In: Proceedings of Workshop on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 25–38 (July 2004)

    Google Scholar 

  16. Zhou, J., Carlson, A.J., Bishop, M.: Verify Results of Network Intrusion Alerts Using Light-weight Protocol Analysis. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 117–126 (December 2005)

    Google Scholar 

  17. Mu, C., Huang, H., Tian, S.: Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-M., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3801, pp. 9–16. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Wireshark, Homepage, http://www.wireshark.org (accessed on April 10, 2012)

  19. Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  20. Kruegel, C., Robertson, W., Vigna, G.: Using Alert Verification to Identify Successful Intrusion Attempts. Journal of Practice in Information Processing and Communication 27(4), 220–228 (2004)

    Google Scholar 

  21. Law, K.H., Kwok, L.-F.: IDS False Alarm Filtering Using KNN Classifier. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 114–121. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  22. Meng, Y., Li, W.: Constructing Context-based Non-Critical Alarm Filter in Intrusion Detection. In: Proceedings of International Conference on Internet Monitoring and Protection (ICIMP), pp. 75–81 (2012)

    Google Scholar 

  23. Alharby, A., Imai, H.: IDS False Alarm Reduction Using Continuous and Discontinuous Patterns. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 192–205. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, College of Science and Engineering, City University of Hong Kong, Hong Kong, China

    Yuxin Meng & Lam-for Kwok

  2. Computer Science Division, Zhaoqing Foreign Language College, Guangdong, China

    Wenjuan Li

Authors
  1. Yuxin Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenjuan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lam-for Kwok
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Hong Kong Baptist University, 224 Waterloo Road, Kowloon, Hong Kong

    Li Chen  & Jiming Liu  & 

  2. Institute for Software Technology, Graz University of Technology, Inffeldgasse 16b, 8010, Graz, Austria

    Alexander Felfernig

  3. University of North Carolina, Charlotte, NC 28223, USA and Warsaw University of Technology, Nowowiejska 15/19, 00-665, Warsaw, Poland

    Zbigniew W. RaÅ›

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Meng, Y., Li, W., Kwok, Lf. (2012). Intelligent Alarm Filter Using Knowledge-Based Alert Verification in Network Intrusion Detection. In: Chen, L., Felfernig, A., Liu, J., RaÅ›, Z.W. (eds) Foundations of Intelligent Systems. ISMIS 2012. Lecture Notes in Computer Science(), vol 7661. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34624-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34624-8_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34623-1

  • Online ISBN: 978-3-642-34624-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation