入侵偵測系統被用來監視網路環境，假如偵測到任何可疑的入侵意圖，將會觸發警報並傳送給網路管理員。它在網路防禦方面確實扮演了一個相當重要的角色，卻也帶來了其他問題。對網路管理員來說，他們被大量的警報給淹沒，根本沒辦法找出真正的入侵意圖，更嚴重的是，大部分的警報都是假警報，增加了判斷的難度。在這篇論文中，目標就是要減少這些大量的假警報，我們提出了一個過濾假警報的系統，此系統利用過往的警報來建立一個模型，然後藉由此模型來過濾未來看到的新警報。它包含了兩個部份，第一是利用滑動視窗(sliding window)來建立警報特徵向量集(alarm feature vector set)，第二是一個支撐向量機(SVM)的分類器，用來生成過濾新警報的模型。我們用了兩個資料集來驗證提出的方法，包含了人造的DARPA資料集及實際網路蒐集的SOC資料集，分別達到了88\%及95\%的減少率(reduction rate)。這樣的實驗結果也證明了我們提出的系統可以有效並成功的減少入侵偵測系統觸發的大量假警報，因此，可以大量減少網路管理員的工作量，使他們可以更專注於處理真正的入侵行為。

Intrusion Detection Systems (IDSs) play an important role to monitor networks and trigger an alarm to analysts if detected a malicious attempt. A major difficulty is the unmanageable amount of alarms flooding the analysts, and most of them are false alarms. We focus on reducing the number of false alarms by building a filtering system. The proposed system employs historical alarms to construct a model which is applied to filter future incoming alarms. The proposed approach is to use a sliding window to construct the `alarm feature vector set' and then use the SVM to generate filtering models to filter out new incoming alarms. The proposed approach is evaluated by two data sets, the synthetic DARPA data set and a real traffic data set, and achieves 88\% and 95\% of false alarm reduction rate, respectively. The result shows that the proposed system can successfully and significantly reduce the amount of false alarms of IDSs. Therefore, the proposed system can alleviate analyst's effort and help them to pay more attention on dealing with true alarms.

[1] “Cert/cc statistics 1995-2008,” tech. rep., CERT Coordination Centre, Carnegie Mellon University, http://www.cert.org/stats/cert_stats.html.
[2] K. Julisch, “Clustering intrusion detection alarms to support root cause analysis,”ACM Transactions on Information and System Security(TISSEC), vol. 6, no. 4, pp. 443–471, 2003.
[3] O. Dain and R. K. Cunningham, “Fusing a heterogeneous alert stream into scenarios,” pp. 1–13, 2001.
[4] P. Innella, “The evolution of intrusion detection systems,” 2001.
[5] J. P. Anderson, “Computer security threat monitoring and surveillance,” tech. rep., James P. Anderson Co.
[6] D. E. Denning, “An intrusion detection model,” IEEE Transactions on Software Engineering, vol. 13, no. 2, pp. 222–232, 1987.
[7] L. T. Herberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D.Wolber, “A network security monitor,” in IEEE Symposium on Security and Privacy, pp. 296–305, 1990.
[8] Wikipedia, “Morris worm,” http://en.wikipedia.org/wiki/Morris_worm.
[9] S. Axelsson, “Research in intrusion-detection systems: A survey,” tech. rep., Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, December 1998.
[10] H. Debar, M. Dacier, and A.Wespi, “Towards a taxonomy of intrusion-detection systems,” Computer Networks, vol. 31, no. 9, pp. 805–822, 1999.
[11] S. Axelsson, “Intrusion detection systems: A survey and taxonomy,” Tech. Rep. 99-15, Chalmers University, Goteborg, Sweden, March 2000. 22
[12] K. Julisch, “Mining alarm clusters to improve alarm handling efficiency,” Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 12–21, 2001.
[13] F. Cuppens, “Managing alerts in a multi-intrusion detection environment,” ACSAC ’01: Proceedings of the 17th Annual Computer Security Applications Conference Proc. of the ACM Workshop on Data Mining for Security Applications, p. 22, 2001.
[14] F. Cuppens, “Alert correlation in a cooperative intrusion detection framework,” IEEE Symposium on Security and Privacy, pp. 202–215, 2002.
[15] A. Valdes and K. Skinner, “Probabilistic alert correlation,” Lecture Notes in Computer Science, vol. 2212, pp. 53–68, 2001.
[16] P. Ning, D. S. Reeves, and Y. Cui, “Correlating alerts using prerequisites of intrusions. technical,” tech. rep., North Carolina State University, Department of Computer Science, 2001.
[17] P. Ning, Y. Cui, and D. S. Reeves, “Analyzing intensive intrusion alerts via correlation,” pp. 74–94, 2002.
[18] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Techniques and tools for analyzing intrusion alerts,” ACM Transactions on Information and System Security(TISSEC), vol. 7, no. 2, pp. 274–318, 2004.
[19] K. H. Law and L. F. Kwok, “Ids false alarm filtering using knn classifier,” in Workshop on Information Security Applications 2004 (WISA2004), vol. 3325 of Lecture Notes in Computer Science, pp. 102–124, Springer, 2004.
[20] A. Alharby and H. Imai, “Ids false alarm reduction using continuous and discontinuous patterns,” Applied Cryptography and Network Security(ACNS), vol. 3531, pp. 192–205, 2005.
[21] T. Pietraszek, “Using adaptive alert classification to reduce false positives in intrusion detection,” in Recent Advances in Intrusion Detection (RAID), vol. 3324 23 of Lecture Notes in Computer Science, (Sophia Antipolis, France), pp. 102–124, Springer-Verlag, 2004.
[22] U. Zurutuza and R. Uribeetxeberria, “Intrusion detection alarm correlation: A survey,” Proceedings of the IADAT International Conference, 2004.
[23] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, “A comprehensive approach to intrusion detection alert correlation,” IEEE Transactions on Dependable and Secure Computing, pp. 146–169, 2004.
[24] V. Vapnik, “Statistical learning theory,” 1998.
[25] C. Cortes and V. Vapnik, “Support-vector networks,” vol. 20, no. 3, pp. 273–297, 1995.
[26] C.-C. Chang and C.-J. Lin, LIBSVM: a library for support vector machines,2001. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm.
[27] M. Roesch, “Snort: Lightweight intrusion detection for networks,” in In proceedings of USENIX LISA’99, pp. 229–238, 1999.
[28] M. Roesch, “Snort,” http://www.snort.org/.
[29] M. L. Laboratory, “Darpa data set,” http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html.