Reducing false negative/false positive of IDS/IPS based on formal definition of attacks

根据正式的攻击定义减少 IDS/IPS 的误报/误报

• 批准号: 17500032
• 负责人: IMAIZUMI Takashi
• 金额: $ 2.37万
• 依托单位: Chiba University
• 依托单位国家: 日本
• 项目类别: Grant-in-Aid for Scientific Research (C)
• 财政年份: 2005
• 资助国家: 日本
• 起止时间: 2005 至 2007
• 项目状态: 已结题
• 来源: https://kaken.nii.ac.jp/grant/KAKENHI-PROJECT-17500032/
• 关键词: Internet Security; Intrusion Detection; Prevention System; IDS; IPS; 誤検知; False Positive q; 侵入検知システム; 侵入遮断システム; False Positive

It is important far Intrusion Detection/Prevention Systems to reduce false alerts. If the system makes alerts for ordinary activities, administrators must check the existence of actual intrusions. We found that the differences of recognition among producer of IDS and user of IDS make these false alerts. We researched on how to represent threats that the users consider to be reported.The users of the system consider alerts as false alerts when the detection result is different from the one expected. They judge it according to their own vague senses. It is very difficult to express such a vague demand strictly using description languages similar to programming languages. We found that the technique of the requirements analysis in software engineering is useful to express a vague demand. We define the notation of threats using the technique found in software engineering area. We use post conditions to describe threats, so we can' t use this for IDS/IPS configurations. However, we can evaluate IDS systems by comparing ratios of false alerts.

入侵检测/防御系统对减少误报警具有重要意义。如果系统对普通活动发出警报，管理员必须检查是否存在实际入侵。我们发现，入侵检测系统生产者和入侵检测系统使用者之间的识别差异导致了这些错误警报。研究了如何表示用户认为需要上报的威胁，当检测结果与预期不符时，系统用户将告警视为虚假告警。他们根据自己模糊的感觉来判断。严格地使用类似于编程语言的描述语言来表达如此模糊的需求是非常困难的。我们发现，软件工程中的需求分析技术对于表达模糊的需求是有用的。我们使用软件工程领域中的技术来定义威胁的表示法。我们使用POST条件来描述威胁，因此不能将其用于IDS/IPS配置。然而，我们可以通过比较误报警率来评估入侵检测系统。

项目成果

IDSの誤検知除去に対するソフトウェア工学的アプローチ

IDS 误报消除的软件工程方法

• 发表时间: 2007
• 作者: 淡路 淳・今泉 貴史