z-logo
open-access-imgOpen Access
False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems
Author(s) -
ChengYuan Ho,
YingDar Lin,
YuanCheng Lai,
I. Ming Chen,
Fuyu Wang,
Wei-Hsuan Tai
Publication year - 2012
Publication title -
international journal of future computer and communication
Language(s) - English
Resource type - Journals
ISSN - 2010-3751
DOI - 10.7763/ijfcc.2012.v1.23
Subject(s) - false positive paradox , computer science , intrusion detection system , false positives and false negatives , computer security , true positive rate , real time computing , data mining , artificial intelligence
False Positives (FPs) and False Negatives (FNs) happen to every Intrusion Detection/Prevention System (IDS/IPS). This work proposes a mechanism of False Positive/Negative Assessment (FPNA) with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic. Over a period of sixteen months, more than two thousand FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85% of false cases are FPs even if the numbers of attack types for FP and FN are similar. Second, about 91% of FP alerts, equal to about 85% of false cases, are not related to security issues, but to management policy. The last finding shows that buffer overflow, SQL server attack and worm slammer attacks account for 93% of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.
Having issues? You can contact us here
Accelerating Research

Address

John Eccles House
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom