ATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems

D. Bolzoni, B. Crispo, Sandro Etalle

    Research output: Book/ReportReportProfessional

    147 Downloads (Pure)

    Abstract

    We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.
    Original languageUndefined
    Place of PublicationEnschede
    PublisherCentre for Telematics and Information Technology (CTIT)
    Number of pages14
    Publication statusPublished - 11 Mar 2008

    Publication series

    NameCTIT Technical Report Series
    PublisherCentre for Telematics and Information Technology, University of Twente
    No.TR-CTIT-08-17
    ISSN (Print)1381-3625

    Keywords

    • SCS-Cybersecurity
    • IR-64674
    • EWI-12090
    • METIS-250900

    Cite this