完整後設資料紀錄
DC 欄位語言
dc.contributor.authorHo, Cheng-Yuanen_US
dc.contributor.authorLai, Yuan-Chengen_US
dc.contributor.authorChen, I-Weien_US
dc.contributor.authorWang, Fu-Yuen_US
dc.contributor.authorTai, Wei-Hsuanen_US
dc.date.accessioned2014-12-08T15:21:53Z-
dc.date.available2014-12-08T15:21:53Z-
dc.date.issued2012-03-01en_US
dc.identifier.issn0163-6804en_US
dc.identifier.urihttp://dx.doi.org/10.1109/MCOM.2012.6163595en_US
dc.identifier.urihttp://hdl.handle.net/11536/15580-
dc.description.abstractFalse positives and false negatives happen to every intrusion detection and intrusion prevention system. This work proposes a mechanism for false positive/negative assessment with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic and statistically analyze these cases. Over a period of 16 months, more than 2000 FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85 percent of false cases are FPs even if the numbers of attack types for FP and FN are similar. That is mainly because the behavior of applications or the format of the application content is self-defined; that is, there is not complete conformance to the specifications of RFCs. Accordingly, when this application meets an IDS/IPS with strict detection rules, its traffic will be regarded as malicious traffic, resulting in a lot of FPs. Second, about 91 percent of FP alerts, equal to about 85 percent of false cases, are not related to security issues, but to management policy. For example, some companies and campuses limit or forbid their employees and students from using peer-to-peer applications; therefore, in order to easily detect P2P traffic, an IDS/IPS is configured to be sensitive to it. Hence, this causes alerts to be triggered easily regardless of whether the P2P application has malicious traffic or not. The last finding shows that buffer overflow, SQL server attacks, and worm slammer attacks account for 93 percent of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.en_US
dc.language.isoen_USen_US
dc.titleStatistical Analysis of False Positives and False Negatives from Real Traffic with Intrusion Detection/Prevention Systemsen_US
dc.typeArticleen_US
dc.identifier.doi10.1109/MCOM.2012.6163595en_US
dc.identifier.journalIEEE COMMUNICATIONS MAGAZINEen_US
dc.citation.volume50en_US
dc.citation.issue3en_US
dc.citation.spage146en_US
dc.citation.epage154en_US
dc.contributor.department資訊工程學系zh_TW
dc.contributor.department瑞昱交大聯合研發中心zh_TW
dc.contributor.departmentDepartment of Computer Scienceen_US
dc.contributor.departmentPealtek NCTU Joint Res Ctren_US
dc.identifier.wosnumberWOS:000301198700019-
dc.citation.woscount4-
顯示於類別:期刊論文


文件中的檔案:

  1. 000301198700019.pdf

若為 zip 檔案,請下載檔案解壓縮後,用瀏覽器開啟資料夾中的 index.html 瀏覽全文。