ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

D. Bolzoni, Bruno Crispo, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    18 Downloads (Pure)

    Abstract

    We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.
    Original languageUndefined
    Title of host publicationProceedings of the 21st Large Installation System Administration Conference (LISA '07)
    PublisherUSENIX Association
    Pages141-152
    Number of pages12
    ISBN (Print)978-1-931971-55-3
    Publication statusPublished - Nov 2007

    Publication series

    Name
    PublisherUsenix Association
    NumberFS-07-05

    Keywords

    • EWI-11415
    • SCS-Cybersecurity
    • IR-64467
    • METIS-245782
    • EC Grant Agreement nr.: FP6/033827

    Cite this

    Bolzoni, D., Crispo, B., & Etalle, S. (2007). ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In Proceedings of the 21st Large Installation System Administration Conference (LISA '07) (pp. 141-152). USENIX Association.