ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {268430,
author = {Damiano Bolzoni and Bruno Crispo and Sandro Etalle},
title = {{ATLANTIDES}: An Architecture for Alert Verification in Network Intrusion Detection Systems},
booktitle = {21st Large Installation System Administration Conference (LISA 07)},
year = {2007},
address = {Dallas, TX},
url = {https://www.usenix.org/conference/lisa-07/atlantides-architecture-alert-verification-network-intrusion-detection-systems},
publisher = {USENIX Association},
month = nov
}
Download

Presentation Video

Presentation Audio

Links

Paper: 
http://usenix.org/event/lisa07/tech/full_papers/bolzoni/bolzoni.pdf
Paper (HTML): 
http://usenix.org/event/lisa07/tech/full_papers/bolzoni/bolzoni_html/index.html