標題: | Statistical Analysis of False Positives and False Negatives from Real Traffic with Intrusion Detection/Prevention Systems |
作者: | Ho, Cheng-Yuan Lai, Yuan-Cheng Chen, I-Wei Wang, Fu-Yu Tai, Wei-Hsuan 資訊工程學系 瑞昱交大聯合研發中心 Department of Computer Science Pealtek NCTU Joint Res Ctr |
公開日期: | 1-Mar-2012 |
摘要: | False positives and false negatives happen to every intrusion detection and intrusion prevention system. This work proposes a mechanism for false positive/negative assessment with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic and statistically analyze these cases. Over a period of 16 months, more than 2000 FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85 percent of false cases are FPs even if the numbers of attack types for FP and FN are similar. That is mainly because the behavior of applications or the format of the application content is self-defined; that is, there is not complete conformance to the specifications of RFCs. Accordingly, when this application meets an IDS/IPS with strict detection rules, its traffic will be regarded as malicious traffic, resulting in a lot of FPs. Second, about 91 percent of FP alerts, equal to about 85 percent of false cases, are not related to security issues, but to management policy. For example, some companies and campuses limit or forbid their employees and students from using peer-to-peer applications; therefore, in order to easily detect P2P traffic, an IDS/IPS is configured to be sensitive to it. Hence, this causes alerts to be triggered easily regardless of whether the P2P application has malicious traffic or not. The last finding shows that buffer overflow, SQL server attacks, and worm slammer attacks account for 93 percent of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection. |
URI: | http://dx.doi.org/10.1109/MCOM.2012.6163595 http://hdl.handle.net/11536/15580 |
ISSN: | 0163-6804 |
DOI: | 10.1109/MCOM.2012.6163595 |
期刊: | IEEE COMMUNICATIONS MAGAZINE |
Volume: | 50 |
Issue: | 3 |
起始頁: | 146 |
結束頁: | 154 |
Appears in Collections: | Articles |
Files in This Item:
If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.