Data mining and machine learning—Towards reducing false positives in intrusion detection

Anderson, 1980 Axelsson, 1999, The base-rate fallacy and its implications for the intrusion detection, 1 Bellowin, 1993, Packets found on an internet, Computer Communications Review, 23, 26, 10.1145/174194.174199 Bloedorn, 2000 Cohen, 1995, Fast effective rule induction, 115 Frédéric Cuppens. Managing alerts in multi-intrusion detection environment. In: Proceedings 17th annual computer security applications conference. New Orleans; 2001. p. 22–31. Frédéric Cuppens, Alexandre Miège. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy; 2002. p. 202–15. Frédéric Cuppens, Fabien Autrel, Alexandre Miège, Salem Benferhat. Correlation in an intrusion detection process. In: Proceedings SÉcurité des communications sur internet (SECI02); 2002. p. 153–71. Olivier Dain, Robert K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM workshop on data mining for security application. Philadelphia, PA; 2001. p. 1–13. Debar, 2001, Aggregation and correlation of intrusion-detection alerts, vol. 2212 Denning, 1987, An intrusion detection model, IEEE Transactions on Software Engineering, SE-13, 222, 10.1109/TSE.1987.232894 Fawcett, 2003 Han, 1992, Knowledge discovery in databases: an attribute-oriented approach, 547 Han, 1993, Data-driven discovery of quantitative rules in relational databases, IEEE Transactions on Knowledge and Data Engineering, 5, 29, 10.1109/69.204089 IBM. Tivoli Risk Manager User's Guide. Version 4.1; 2002. Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE computer security foundations workshop (CSFW 2002); 2002. p. 49–63. Klaus Julisch. Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings 17th annual computer security applications conference. New Orleans, LA: Dec. 2001. p. 12–21. Julisch, 2003, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), 6, 443, 10.1145/950191.950192 Klaus Julisch. Using root cause analysis to handle intrusion detection alarms. PhD thesis. Germany: University of Dortmund; 2003b. Julisch, 2002, Mining intrusion detection alarms for actionable knowledge, 366 Lavrač, 1994, Inductive logic programming: techniques and applications, Ellis Horwood Wenke Lee. A data mining framework for constructing features and models for intrusion detection systems. PhD thesis. Columbia University; 1999. Lee, 2002, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security, 10, 5, 10.3233/JCS-2002-101-202 Lippmann, 2002, The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection, vol. 2516 Mahoney, 2003, An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection, vol. 2820 Manganaris, 2000, A data mining analysis of RTID alarms, Computer Networks: The International Journal of Computer and Telecommunications Networking, 34, 571, 10.1016/S1389-1286(00)00138-9 McHugh, 2000, The 1998 lincoln laboratory IDS evaluation. A critique, vol. 1907 MIT Lincoln Laboratory Morin, 2002, M2D2: a formal data model for IDS alert correlation, vol. 2516 Ning, 2002 Ning, 2001 Ning, 2002, Analyzing intrusion alerts via correlation, vol. 2516 Ning Peng, Cui Yun, Reeves Douglas S. Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security; 2002b. p. 245–54. NIST Paxson, 1999, Bro: a system for detecting network intruders in real-time, Computer Networks, 31, 2435, 10.1016/S1389-1286(99)00112-7 Pietraszek, 2004, Using adaptive alert classification to reduce false positives in intrusion detection, vol. 3324 Ptacek, 1998 Ronald W. Ritchey, Paul Ammann. Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy (S&P 2000); 2000. p. 156–65. Roesch SecurityFocus Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, Jeannette M. Wing. Automated generation and analysis of attack graphs. In: Proceedings of the IEEE symposium on security and privacy (S&P 2002); 2002. p. 254–65. Robin Sommer, Vern Paxson. Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of the 10th ACM conference on computer and communication security. Washington, DC; 2003. p. 262–71. Ting, 1998, Inducing cost-sensitive trees via instance weighting, vol. 1510, 139 Valdes, 2001, Probabilistic alert correlation, vol. 2212