A Normal Profile Updating Method for False Positives Reduction in Anomaly Detection Systems Walid Mohamed Alsharafi and Mohd Nizam Omar InterNetworks Research Laboratory, School of Computing, College of Arts and Sciences, 06010 UUM Sintok, Universiti Utara Malaysia, Malaysia sharafi12@yahoo.com , niezam@uum.edu.my ABSTRACT The contribution of this paper is to investigate whether there is a possibility of further processing of both the normal and abnormal data identified by any anomaly detector with the intent of reducing the false positive alerts. For this end, we use an existing anomaly detector model which is called as Protocol based Packet Header Anomaly Detector (PbPHAD). This model has been demonstrated as a very promising model to be used for anomaly based Intrusion Detection Systems (IDSs). However, the percentage of false positives is quite big for the detected anomalous packets based on PbPHAD model alone. Thus, the purpose of this paper is to investigate a proposed method of normal profile updating in anomaly detection systems with the intent of reducing the false positive alerts. The proposed method was applied and tested using the PbPHAD model. The evaluation data set were downloaded from MIT Lincoln Laboratory. The experimental results on one selected host show that the proposed method has a good ability to solve the shortcoming of the PbPHAD model regarding the high false positives rate for the detected anomalous packets. KEYWORDS Normal Profile, False Positive, Anomaly, Intrusion Detection System, Dataset 1 INTRODUCTION The high false positive alerts rate is considered as one of the main disadvantages of anomaly detection since the advent of IDS technologies. At present various intrusions detection systems are available using different methodology but the main problem with them is the false positives [1]. So many works was done to reduce these false positives and increase the accuracy of an IDS. Thus, in this paper, we are exploiting an existing IDS model, that is PbPHAD model proposed in [2], to investigate the ability extent of our proposed method of normal profile updating to reduce the false positives in anomaly detection systems. In this work, we firstly redevelop the PbPHAD model and apply it on one selected host, from the MIT Lincoln Lab. 1999 off-line intrusion detection evaluation dataset [3], to get the false positives packets from the detected anomalous packets. We then reapply the PbPHAD model on the same selected host using, however, the proposed method of normal profile updating. Finally, we compare the results of applying the PbPHAD model before and after using the proposed method to evaluate the efficiency of our method in reducing the false positives. The paper is organized as follows. Section 2 overviews the related works. Section 3 provides an overview of the PbPHAD model and the dataset used in the simulation and describes the implementation of the PbPHAD model on the selected host. The proposed normal profile updating method for reducing the false positives is introduced in Section 4. We describe the simulation framework in Section 5. Section 6 compares and discusses the results of the experiments. Section 7 offers conclusions. 2 RELATED WORKS PbPHAD model, proposed in [2], has been demonstrated as a very promising model to be used for an anomaly based IDS model, however the percentage of false positives is quite big for the detected anomalous packets based on the PbPHAD model alone [2]. The idea of PbPHAD IDS model ISBN: 978-0-9891305-2-3 ©2013 SDIWC 182