Extracting Ambiguous Sessions from Real Traffic with Intrusion Prevention Systems
False Positives (FPs) and False Negatives (FNs) are com-mon in every Intrusion Prevention System (IPS). None of the systems could judge better than others all the time. This paper proposes a system of Ambiguous Session Extraction (ASE) to create a pool of ambiguous traffic traces. Traffic traces or sessions are called “Ambiguous”, meaning they cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. IPS developers can use these ambiguous traffic traces to improve the accuracy of their products.