Reducing false positives in intrusion detection systems

Abstract

A post-processing filter is proposed to reduce false positives in network-based intrusion detection systems. The filter comprises three components, each one of which is based upon statistical properties of the input alert set. Special characteristics of alerts corresponding to true attacks are exploited. These alerts may be observed in batches, which contain similarities in the source or destination IPs, or they may produce abnormalities in the distribution of alerts of the same signature. False alerts can be recognized by the frequency with which their signature triggers false positives. The filter architecture and design are discussed. Evaluation results performed using the DARPA 1999 dataset indicate that the proposed approach can significantly reduce the number and percentage of false positives produced by Snort (c) (Roesch, 1999). Our filter limited false positives by a percentage up to 75%. (C) 2009 Elsevier Ltd. All rights reserved.