MVPSys : toward practical multi-view based false alarm reduction system in network intrusion detection

摘要

Network intrusion detection systems (NIDSs) have been developed for over twenty years and have been widely deployed in computer networks to detect a variety of network attacks. But one of the major limitations is that these systems would generate a large number of alarms, especially false alarms (positives) during the detection. To address this issue, many machine learning approaches have been applied to reduce NIDS false positives. However, we notice that multi-view based approach is often ignored by the literature, which uses one function to model a particular view and jointly optimizes all the functions to optimize and improve the learning performance. In addition, most existing studies have not implemented their algorithms into practical alam systems. In this paper, we thus develop MVPSys, a practical multi-view based false alarm reduction system to reduce false alarms more efficiently, where each view represents a set of features. More specifically, we implement a semi-supervised learning algorithm to construct two-view items and automatically exploit both labeled and unlabeled data. That is, this system can automatically extract and organize features from an incoming alarm into two feature sets: destination feature set and source feature set, where the former contains the features related to the target environment and the latter contains the features about the source environment. In the evaluation, we deploy our system into two real network environments besides using two datasets. Experimental results indicate that our system can achieve a stable filtration accuracy of over 95%, offering a significant improvement as compared with the state-of-the-art algorithms.