Extracting Attack Sessions From Real Traffic With Intrusion Prevention Systems
False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This paper proposes a system of Attack Session Extraction (ASE) to create a pool of traffic traces which cause possible FNs and FPs to IPSs. Developers of IPSs can use these traffic traces to improve the accuracy of their products. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSs. From the logs of IPSs, the authors can find that some attack events are only "Logged" or "not logged" at certain IPS. The former could be FPs, while the latter could be FNs to that IPS.