Experimental Studies Using SOARA: An Approach to Reduce Alarm Rates on Streams of Intrusion

Jorge Levera (1), Robert Grossman (1), Benjamín Barán (2)

e-mails: jlevera@cs.uic.edu, grossman@uic.edu, bbaran@cnc.una.py

(1) University of Illinois at Chicago - Departament of Computer Science Chicago Estados Unidos
(2) Universidad Nacional de Asunción - Centro Nacional de Computación San Lorenzo Paraguay

Abstract

The overwhelming number of alarms generated by rule-based network intrusion detection systems makes the task of network security operators ineffective. Preliminary results on an approach called SOARA shows that false positive alarms can be reduced by detecting changes on streams of alarms using sketch-based time-decaying moving median. SOARA keeps a memory efficient sketch summary of the normal stream of alarms using relevant features. Sketches are updated according to established policies and a time-decaying moving median procedure is used on historical data to detect abnormal alarm rates on the stream. SOARA shows promising results on labeled and unlabeled test sets by focusing on exceptions on the normal stream of alarms, diverting the attention away from false positives.

Keywords:Data Stream, Intrusion Detection, Sketch Summaries, Time Decaying Moving Median


BibTex 

@INPROCEEDINGS{levera04:156,
                  AUTHOR       = {Jorge Levera and Robert Grossman and Benjamín Barán},
                  TITLE        = {Experimental Studies Using SOARA: An Approach to Reduce Alarm Rates on Streams of Intrusion},
                  BOOKTITLE    = {30ma Conferencia Latinoamericana de Informática (CLEI2004)},
                  YEAR         = {2004},
                  editor       = {Mauricio Solar and David Fernández-Baca and Ernesto Cuadros-Vargas},
                  pages        = {512--522},
                  address      = {},
                  month        = Sep,
                  organization = {Sociedad Peruana de Computación},
                  note         = {ISBN 9972-9876-2-0},
                  file         = {http://clei2004.spc.org.pe/es/html/pdfs/156.pdf}
}

pdficon.gif PDF de este artículo
PDF de CLEI2004 (incluye todos los artículos)
Página principal CLEI 2004
Generado por Sociedad Peruana de Computación