Analyzing Root Causes of Intrusion Detection False-Negatives: Methodology and Case Study
This work addresses the issue of IDS ineffectiveness for cybersecurity practitioners, but it is incremental as it focuses on analysis rather than a new solution.
The paper tackled the problem of understanding why Intrusion Detection Systems (IDSs) produce false-negatives, proposing a methodology and applying it in a case study with Snort and real-world attack data to draw insights for improving IDS design.
Intrusion Detection Systems (IDSs) are a necessary cyber defense mechanism. Unfortunately, their capability has fallen behind that of attackers. This motivates us to improve our understanding of the root causes of their false-negatives. In this paper we make a first step towards the ultimate goal of drawing useful insights and principles that can guide the design of next-generation IDSs. Specifically, we propose a methodology for analyzing the root causes of IDS false-negatives and conduct a case study based on Snort and a real-world dataset of cyber attacks. The case study allows us to draw useful insights.