ATLANTIDES : An architecture for alert verification in network intrusion detection systems

D. Bolzoni, B. Crispo, S. Etalle

    Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

    22 Citaten (Scopus)
    4 Downloads (Pure)

    Samenvatting

    We present an architecture 1 designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%. 1This research is supported by the research program Sentinels (http://www.sentinels.nl). The work of the second author was partially funded by the IST FP6 GridTrust project, contract No. 033827. Part of this work was carried out during the third author’s stay at the University of Trento, supported by the GU-IST project Serenity.
    Originele taal-2Engels
    TitelProceedings of the 21st Large Installation System Administration Conference (LISA 2007), Dallas TX, USA, November 11-16, 2007
    UitgeverijUsenix Association
    Pagina's141-152
    ISBN van geprinte versie978-1-931971-55-3
    StatusGepubliceerd - 2007

    Vingerafdruk

    Duik in de onderzoeksthema's van 'ATLANTIDES : An architecture for alert verification in network intrusion detection systems'. Samen vormen ze een unieke vingerafdruk.

    Citeer dit