Filtering False Positives Based on Server-Side Behaviors
Pages 264 - 276
Abstract
Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a lengthy list of signatures and carefully disable the ones that detect attacks that are not harmful to the administrator's environment. This is a daunting task; if some signatures are disabled by mistake, the NIDS fails to detect critical remote attacks. We designed a NIDS, TrueAlarm, to reduce the rate of false positives. Conventional NIDSs alert administrators that a malicious message has been detected, regardless of whether the message actually attempts to compromise the protected server. In contrast, TrueAlarm delays the alert until it has confirmed that an attempt has been made. The TrueAlarm NIDS cooperates with a server-side monitor that observes the protected server's behavior. TrueAlarm only alerts administrators when a server-side monitor has detected deviant server behavior that must have been caused by a message detected by a NIDS. Our experimental results revealed that TrueAlarm reduces the rate of false positives. Using actual network traffic collected over 14 days, TrueAlarm produced 46 false positives, while Snort, a conventional NIDS, produced 818.
References
[1]
K. Timm, “Strategies to reduce false positives and false negatives in NIDS,” http://securityfocus.com/infocus/1463, Sept. 2001.
[2]
M. Roesch, “Snort: Lightweight intrusion detection for networks,” Proc. 13th USENIX Conference on Systems Administration (LISA '99), pp.229–238, 1999.
[3]
M. Mizutani, S. Shirata, M. Minami, and J. Murai, “The design and implementation of session based IDS,” IEICE Trans. Commun. (Japanese Edition), vol.J88-B, no.3, pp.551–562, March 2005.
[4]
J. Zhou, A.J. Carlson, and M. Bishop, “Verify results of network intrusion alerts using lightweight protocol analysis,” Proc. 21st Annual Computer Security Applications Conference (ACSAC '05), pp.117–126, 2005.
[5]
C. Kruegel, W. Robertson, and G. Vigna, “Using alert verification to identify successful intrusion attempts,” Practive in Information Processing and Communication, vol.27, no.4, pp.219–227, Oct. 2004.
[6]
Symantec, “Linux.Slapper.Worm,” http://www.symantec.com/security_response/writeup.jsp?docid=2002-091311-5851-99, 2002.
[7]
“ANALYSIS: CodeRed II worm,” http://research.eeye.com/html/advisories/published/AL20010804.html, Aug. 2001.
[8]
Symantec, “Linux.Ramen.Worm,” http://www.symantec.com/security_response/writeup.jsp?docid=2001-011713-2000-99, 2001.
[9]
Symantec, “W32.Sasser.D,” http://www.symantec.com/security_response/writeup.jsp?docid=2004-050315-1907-99, 2004.
[10]
V. Paxson, “Bro: A system for detecting network intruders in real-time,” Comput. Netw., vol.31, no.23–24, pp.2435–2463, 1999.
[11]
AlephOne, “Smashing stack for fun and profit,” Phrack, Nov. 1996.
[12]
R. Sommer and V. Paxson, “Enhancing byte-level network intrusion detection signatures with context,” Proc. 10th ACM Conference on Computer and Communications Security (CCS '03), pp.262–271, 2003.
[13]
“Netscape Suitespot read/writeable admin password vulnerability,” http://www.securityfocus.com/bid/1579, 2000.
[14]
“Wu-Ftpd remote format string stack overwrite vulnerability,” http://www.securityfocus.com/bid/1387, 2000.
[15]
“Php http post incorrect mime header parsing vulnerability,” http://www.securityfocus.com/bid/5278, 2002.
[16]
“Multiple vendor LPRng user-supplied format string vulnerability,” http://www.securityfocus.com/bid/1712, 2000.
[17]
C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman, “Linux security modules: General security support for the linux kernel,” Proc. 11th Usenix Security Symposium, pp.17–31, 2002.
[18]
A. Turner, “Tcpreplay,” http://tcpreplay.synfin.net/trac/
[19]
“Seattle lab software SLMail pro remote buffer overflow vulnerability,” http://www.securityfocus.com/bid/9809, 2004.
[20]
Internet Security Systems, “Realsecure,” http://www.iss.net/
[21]
Cisco, “Cisco ips 4200 series,” http://www.cisco.com/
[22]
Enterasys, “Dragon ids,” http://www.enterasys.com/
[23]
H.J. Wang, C. Guo, D.R. Simon, and A. Zugenmaier, “Shield: Vulnerability-driven network filters for preventing known vulnerability exploits,” ACM SIGCOMM '04, pp.193–204, Aug. 2004.
[24]
C. Kruegel, T. Toth, and E. Kirda, “Service specific anomaly detection for network intrusion detection,” Proc. 2002 ACM Symposium on Applied Computing (SAC '02), pp.201–208, March 2002.
[25]
K. Wang and S.J. Stolfo, “Anomalous payload-based network intrusion detection,” Proc. 7th International Symposium on Recent Advances in Intrusion Detection (RAID '04), pp.203–222, Sept. 2004.
[26]
T. Pietraszek, “Using adaptive alert classification to reduce false positives in intrusion detection,” Proc. 7th International Symposium on Recent Advances in Intrusion Detection (RAID '04), pp.102–124, Sept. 2004.
[27]
C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, “Bayesian event classification for intrusion detetcion,” Proc. 19th Annual Computer Security Applications Conference (ACSAC '03), pp.14–23, 2003.
[28]
M. Soleimani, E.K. Asl, M. Doroud, M. Damanafshan, A. Behzadi, and M. Abbaspour, “RASS: A reliable analyzer and archiver for snort intrusion detection system,” Proc. 2007 ACM Symposium on Applied Computing (SAC '07), pp.259–263, March 2007.
[29]
A.M.F. Cuppens, “Alert correlation in a cooperative intrusion detection framework,” Proc. 2002 IEEE Symposium on Security and Privacy (S&P '02), pp.202–215, 2002.
[30]
X. Wang, C.C. Pan, P. Liu, and S. Zhu, “Sigfree: A signature-free buffer overflow attack blocker,” Proc. 15th Usenix Security Symposium, pp.225–240, 2006.
[31]
C. Kreibich and J. Crowcroft, “HoneyComb – Creating intrusion detection signatures using Honeypots,” ACM SIGCOMM Computer Communication Review, vol.34, pp.51–56, 2004.
[32]
V. Yegneswaran, J.T. Giffin, P. Barford, and S. Jha, “An architecture for generating semantics-aware signatures,” Proc. 13th Usenix Security Symposium, pp.97–112, 2005.
[33]
I. Goldberg, D. Wagner, R. Thomas, and E.A. Brewer, “A secure environment for untrusted helper applications,” Proc. 6th Usenix Security Symposium, pp.1–13, July 1996.
[34]
R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham, “Effecient software-based fault isolation,” ACM SIGOPS Operating System Review, pp.203–216, 1994.
[35]
A. Acharya and M. Raje, “MAPbox: Using parameterized behavior classes to confine untrusted applications,” Proc. 9th Usenix Security Symposium, pp.1–17, Aug. 2000.
[36]
C. Cowan, S. Beattie, G. Kroah-Hartman, C. Pu, P. Wagle, and V. Gligor, “SubDomain: Parsimonious server security,” Proc. 14th USENIX Conference on Systems Administration (LISA '00), pp.355–368, Dec. 2000.
[37]
M. Locasto, K. Wang, A. Kyrometis, and S.J. Stolfo, “FLIPS: Hybrid adaptive intrusion prevention,” Proc. 8th International Symposium on Recent Advances in Intrusion Detection (RAID '05), pp.82–101, 2005.
[38]
J. Newsome and D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” Proc. 12th Annual Network and Distributed System Security Symposium(NDSS '05), 2005.
[39]
G.S. Kc, A.D. Keromytis, and V. Prevelakis, “Countering code-injection attacks with instruction-set randomization,” Proc. 10th ACM Conference on Computer and Communications Security (CCS '03), pp.272–280, 2003.
[40]
E.G. Barrantes, D.H. Ackley, T.S. Palmer, D. Stefanovic, and D.D. Zovi, “Randomized instruction set emulation to disrupt binary code injection attacks,” Proc. 10th ACM Conference on Computer and Communications Security (CCS '03), pp.281–289, 2003.
[41]
B. Cantrill, M.W. Shapiro, and A.H. Leventhal, “Dynamic instrumentation of production systems,” Proc. USENIX 2004 Annual Technical Conference (USENIX '04), pp.15–28, June 2004.
[42]
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks,” Proc. 7th Usenix Security Conference, pp.63–78, 1998.
Index Terms
- Filtering False Positives Based on Server-Side Behaviors
Index terms have been assigned to the content through auto-classification.
Recommendations
Using Attack Information to Reduce False Positives in Network IDS
ISCC '06: Proceedings of the 11th IEEE Symposium on Computers and CommunicationsReducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of ...
Alert verification evasion through server response forging
RAID'07: Proceedings of the 10th international conference on Recent advances in intrusion detectionIntrusion Detection Systems (IDSs) are necessary components in the defense of any computer network. Network administrators rely on IDSs to detect attacks, but ultimately it is their responsibility to investigate IDS alerts and determine the damage done. ...
An Automated Signature-Based Approach against Polymorphic Internet Worms
Capable of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. However, the defense against them is still an open problem. This paper attempts to answer an important question: How can we distinguish polymorphic ...
Comments
Information & Contributors
Information
Published In
Copyright © Copyright © 2008 The Institute of Electronics, Information and Communication Engineers.
Publisher
Oxford University Press, Inc.
United States
Publication History
Published: 01 February 2008
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in