Internet Archive Scholar

False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems

Cheng-Yuan Ho, Ying-Dar Lin, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, Wei-Hsuan Tai
2012 International Journal of Future Computer and Communication  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (307.3 kB)
https://web.archive.org/web/20170705091449/http://speed.cis.nctu.edu.tw/%7Eydlin/pdf/False_Positives_and_Negatives_from_Real_Traffic_with_Intrusion_Detection_Prevention_Systems.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL. The file type is application/pdf.

False Positives (FPs) and False Negatives (FNs) happen to every Intrusion Detection/Prevention System (IDS/IPS). This work proposes a mechanism of False Positive/Negative Assessment (FPNA) with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic. Over a period of sixteen months, more than two thousand FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85% of false cases are FPs even if
more » ... he numbers of attack types for FP and FN are similar. Second, about 91% of FP alerts, equal to about 85% of false cases, are not related to security issues, but to management policy. The last finding shows that buffer overflow, SQL server attack and worm slammer attacks account for 93% of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.
doi:10.7763/ijfcc.2012.v1.23 fatcat:dql4pyrs4fczxebqtiuziwcvjy
Citation

Cheng-Yuan Ho, Ying-Dar Lin, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, Wei-Hsuan Tai. "False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems." International Journal of Future Computer and Communication (2012) 87-90