A Normal Profile Updating Method for False Positives Reduction in Anomaly Detection Systems

The contribution of this paper is to investigate whether there is a possibility of further processing of both the normal and abnormal data identified by any anomaly detector with the intent of reducing the false positive alerts. For this end, we use an existing anomaly detector model which is called as Protocol based Packet Header Anomaly Detector (PbPHAD). This model has been demonstrated as a very promising model to be used for anomaly based Intrusion Detection Systems (IDSs). However, the percentage of false positives is quite big for the detected anomalous packets based on PbPHAD model alone. Thus, the purpose of this paper is to investigate a proposed method of normal profile updating in anomaly detection systems with the intent of reducing the false positive alerts. The proposed method was applied and tested using the PbPHAD model. The evaluation data set were downloaded from MIT Lincoln Laboratory. The experimental results on one selected host show that the proposed method has a good ability to solve the shortcoming of the PbPHAD model regarding the high false positives rate for the detected anomalous packets.