ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

D. Bolzoni, Bruno Crispo, Sandro Etalle

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

12 Downloads (Pure)

Abstract

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.
Original languageUndefined
Title of host publicationProceedings of the 21st Large Installation System Administration Conference (LISA '07)
PublisherUSENIX Association
Pages141-152
Number of pages12
ISBN (Print)978-1-931971-55-3
Publication statusPublished - Nov 2007

Publication series

Name
PublisherUsenix Association
NumberFS-07-05

Keywords

  • EWI-11415
  • SCS-Cybersecurity
  • IR-64467
  • METIS-245782
  • EC Grant Agreement nr.: FP6/033827

Cite this

Bolzoni, D., Crispo, B., & Etalle, S. (2007). ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In Proceedings of the 21st Large Installation System Administration Conference (LISA '07) (pp. 141-152). USENIX Association.
Bolzoni, D. ; Crispo, Bruno ; Etalle, Sandro. / ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. Proceedings of the 21st Large Installation System Administration Conference (LISA '07). USENIX Association, 2007. pp. 141-152
@inproceedings{403f09c8de4f4a178559d987718df6af,
title = "ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems",
abstract = "We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50{\%} and 100{\%}.",
keywords = "EWI-11415, SCS-Cybersecurity, IR-64467, METIS-245782, EC Grant Agreement nr.: FP6/033827",
author = "D. Bolzoni and Bruno Crispo and Sandro Etalle",
note = "Upgrade and substitute technical report TR-CTIT-06-13",
year = "2007",
month = "11",
language = "Undefined",
isbn = "978-1-931971-55-3",
publisher = "USENIX Association",
number = "FS-07-05",
pages = "141--152",
booktitle = "Proceedings of the 21st Large Installation System Administration Conference (LISA '07)",

}

Bolzoni, D, Crispo, B & Etalle, S 2007, ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. in Proceedings of the 21st Large Installation System Administration Conference (LISA '07). USENIX Association, pp. 141-152.

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. / Bolzoni, D.; Crispo, Bruno; Etalle, Sandro.

Proceedings of the 21st Large Installation System Administration Conference (LISA '07). USENIX Association, 2007. p. 141-152.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

AU - Bolzoni, D.

AU - Crispo, Bruno

AU - Etalle, Sandro

N1 - Upgrade and substitute technical report TR-CTIT-06-13

PY - 2007/11

Y1 - 2007/11

N2 - We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.

AB - We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.

KW - EWI-11415

KW - SCS-Cybersecurity

KW - IR-64467

KW - METIS-245782

KW - EC Grant Agreement nr.: FP6/033827

M3 - Conference contribution

SN - 978-1-931971-55-3

SP - 141

EP - 152

BT - Proceedings of the 21st Large Installation System Administration Conference (LISA '07)

PB - USENIX Association

ER -

Bolzoni D, Crispo B, Etalle S. ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In Proceedings of the 21st Large Installation System Administration Conference (LISA '07). USENIX Association. 2007. p. 141-152