Of daemons and men: reducing false positive rate in intrusion detection systems with file system footprint analysis

In this work, we propose a methodology for reducing false alarms in file system intrusion detection systems, by taking into account the daemon’s file system footprint. More specifically, we experimentally show that sequences of outliers can serve as a distinguishing characteristic between true and f...

Full description

Saved in:
Bibliographic Details
Published in:Neural computing & applications 2019-11, Vol.31 (11), p.7755-7767
Main Authors: Mamalakis, George, Diou, Christos, Symeonidis, Andreas L., Georgiadis, Leonidas
Format: Article
Language:English
Subjects:
Anomalies
Artificial Intelligence
Computational Biology/Bioinformatics
Computational Science and Engineering
Computer Science
Data analysis
Data Mining and Knowledge Discovery
False alarms
Footprint analysis
Image Processing and Computer Vision
Intrusion detection systems
Original Article
Outliers (statistics)
Probability and Statistics in Computer Science
Sequences
Servers
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In this work, we propose a methodology for reducing false alarms in file system intrusion detection systems, by taking into account the daemon’s file system footprint. More specifically, we experimentally show that sequences of outliers can serve as a distinguishing characteristic between true and false positives, and we show how analysing sequences of outliers can lead to lower false positive rates, while maintaining high detection rates. Based on this analysis, we developed an anomaly detection filter that learns outlier sequences using k -nearest neighbours with normalised longest common subsequence. Outlier sequences are then used as a filter to reduce false positives on the F I 2 D S file system intrusion detection system. This filter is evaluated on both overlapping and non-overlapping sequences of outliers. In both cases, experiments performed on three real-world web servers and a honeynet show that our approach achieves significant false positive reduction rates (up to 50 times), without any degradation of the corresponding true positive detection rates.
ISSN:0941-0643
1433-3058
DOI:10.1007/s00521-018-3550-x