RAPID: Reputation based approach for improving intrusion detection effectiveness

Reducing false positives have been one of the toughest challenges and a very practical problem in real life deployments of intrusion detection systems. It leads to decreased confidence in the IDS alerts. The security analyst is faced with the choice between disabling valuable signatures that also generate false positives on one hand, and missing true alerts among the flood of false positives on the other hand. In this paper we present an architecture that utilizes IP reputation along with signature levels in order to reduce false positives and thereby increase the effectiveness of the IDS. In the proposed approach the IDS signatures are classified and grouped into various levels based on their false positive rating, and the incoming traffic is analyzed by one or more of the signature levels based on the reputation of the IP addresses. We also discuss a prototype implementation of the proposed approach that is based on open source IDS - Snort. Evaluation showed promising results in reducing false positives and corresponding improvement in Bayesian detection rate for the prototype system as compared to Snort.