TY - GEN
T1 - Enhancing false alarm reduction using pool-based active learning in network intrusion detection
AU - Meng, Yuxin
AU - Kwok, Lam-For
PY - 2013
Y1 - 2013
N2 - Network intrusion detection systems (NIDSs) are an important and essential defense mechanism against network attacks. However, during their detection, a large number of NIDS false alarms could be generated, which is a major challenging problem for these systems. To mitigate this issue, machine-learning based false alarm filters have been developed to refine false alarms, but it is very laborious and difficult for security experts to provide many labeled examples to train a classifier. In this paper, we therefore attempt to investigate the performance of active learning, which can make the optimal use of the given datasets, in this particular field of NIDS false alarm reduction. After analyzing the relationship between the process of false alarm reduction and the process of intrusion detection, we design a simple but efficient pool-based active learning algorithm in a false alarm filter and evaluate its performance by comparing it with several traditional supervised machine learning algorithms. The experimental results show that the designed pool-based active learner can generally achieve a better outcome than a traditional machine learning algorithm, and that the designed scheme can approximatively reduce the required number of labeled alarms by half. © 2013 Springer-Verlag.
AB - Network intrusion detection systems (NIDSs) are an important and essential defense mechanism against network attacks. However, during their detection, a large number of NIDS false alarms could be generated, which is a major challenging problem for these systems. To mitigate this issue, machine-learning based false alarm filters have been developed to refine false alarms, but it is very laborious and difficult for security experts to provide many labeled examples to train a classifier. In this paper, we therefore attempt to investigate the performance of active learning, which can make the optimal use of the given datasets, in this particular field of NIDS false alarm reduction. After analyzing the relationship between the process of false alarm reduction and the process of intrusion detection, we design a simple but efficient pool-based active learning algorithm in a false alarm filter and evaluate its performance by comparing it with several traditional supervised machine learning algorithms. The experimental results show that the designed pool-based active learner can generally achieve a better outcome than a traditional machine learning algorithm, and that the designed scheme can approximatively reduce the required number of labeled alarms by half. © 2013 Springer-Verlag.
KW - Active Learning and Its Applications
KW - False Alarm Reduction
KW - Intrusion Detection
KW - Network Security
UR - http://www.scopus.com/inward/record.url?scp=84883375443&partnerID=8YFLogxK
UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-84883375443&origin=recordpage
U2 - 10.1007/978-3-642-38033-4_1
DO - 10.1007/978-3-642-38033-4_1
M3 - RGC 32 - Refereed conference paper (with host publication)
SN - 9783642380327
VL - 7863 LNCS
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 1
EP - 15
BT - Information Security Practice and Experience
PB - Springer Verlag
T2 - 9th International Conference on Information Security Practice and Experience, ISPEC 2013
Y2 - 12 May 2013 through 14 May 2013
ER -