Extracting Attack Sessions From Real Traffic With Intrusion Prevention Systems

False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This paper proposes a system of Attack Session Extraction (ASE) to create a pool of traffic traces which cause possible FNs and FPs to IPSs. Developers of IPSs can use these traffic traces to improve the accuracy of their products. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSs. From the logs of IPSs, the authors can find that some attack events are only "Logged" or "not logged" at certain IPS. The former could be FPs, while the latter could be FNs to that IPS.

Provided by: National Chiao Tung University Topic: Mobility Date Added: Feb 2010 Format: PDF

Download Now

Find By Topic