False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems | Zendy

ChengYuan Ho | Zendy; YingDar Lin | Zendy; YuanCheng Lai | Zendy; I. Ming Chen | Zendy; Fuyu Wang | Zendy; Wei-Hsuan Tai | Zendy

AI Assistant Blog Pricing

Home ZAIA Blog

Open Access

False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems

Author(s) -

ChengYuan Ho,

YingDar Lin,

YuanCheng Lai,

I. Ming Chen,

Fuyu Wang,

Wei-Hsuan Tai

Publication year - 2012

Publication title -

international journal of future computer and communication

Language(s) - English

Resource type - Journals

ISSN - 2010-3751

DOI - 10.7763/ijfcc.2012.v1.23

Subject(s) - false positive paradox , computer science , intrusion detection system , false positives and false negatives , computer security , true positive rate , real time computing , data mining , artificial intelligence

False Positives (FPs) and False Negatives (FNs) happen to every Intrusion Detection/Prevention System (IDS/IPS). This work proposes a mechanism of False Positive/Negative Assessment (FPNA) with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic. Over a period of sixteen months, more than two thousand FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85% of false cases are FPs even if the numbers of attack types for FP and FN are similar. Second, about 91% of FP alerts, equal to about 85% of false cases, are not related to security issues, but to management policy. The last finding shows that buffer overflow, SQL server attack and worm slammer attacks account for 93% of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.

Having issues? You can contact us here

Accelerating Research