Filtering False Positives Based on Server-Side Behaviors
スポンサーリンク
概要
- 論文の詳細を見る
Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrators environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected servers behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.
- 2008-02-01
著者
-
KONO Kenji
Keio Univ.
-
HANAOKA Miyuki
School for Open and Envionmental Systems, Graduate School of Science and Technology, Keio University
-
Hanaoka Miyuki
Graduate School Of Science And Technology Keio University
-
Shimamura Makoto
School For Open And Envionmental Systems Graduate School Of Science And Technology Keio University
-
SHIMAMURA Makoto
the Department of Information and Computer Science, Keio University
-
HANAOKA Miyuki
the Department of Information and Computer Science, Keio University
-
KONO Kenji
the Department of Information and Computer Science, Keio University
関連論文
- 「手段」としての仮想マシン技術の研究(平成21年度論文賞の受賞論文紹介)
- Reducing Security Policy Size for Internet Servers in Secure Operating Systems
- Reducing Security Policy Size for Internet Servers in Secure Operating Systems
- Filtering False Positives Based on Server-Side Behaviors
- Windows PC をグリッド環境で利用するための軽量 Linux バイナリ実行システム
- User-level Enforcement of Appropriate Background Process Execution
- TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems(Dependable Computing)
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- A State-Aware Protocol Fuzzer Based on Application-Layer Protocols
- Clustering Performance Anomalies Based on Similarity in Processing Time Changes
- MashCache: Taming Flash Crowds by Using Their Good Features
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- MashCache: Taming Flash Crowds by Using Their Good Features
- Using Fault Injection to Analyze the Scope of Error Propagation in Linux
- Honeyguide: A VM Migration-Aware Network Topology for Saving Energy Consumption in Data Center Networks
- Automatically Checking for Session Management Vulnerabilities in Web Applications
- DiscNice: User-level Regulation of Disk Bandwidth