Using Neuro-Fuzzy Techniques to Reduce False Alerts in IDS Pravesh Gaonjur, N.Z. Tarapore, and S.G. Pukale Abstract—The problems related to security for network systems are relative to the design of network architectures, which is typically based on open standards. Monitoring tools based on pattern recognition or behavioral analysis is typically used to ensure network security. SNORT is one such tool which is based on pattern recognition. SNORT alerts system administrators whenever it receives packets of information that match predetermined signatures contained in the SNORT ruleset, thereby protecting network systems. Unfortunately, due to the nature of this design, SNORT operates at the packet level and thereby has no concept of the specific properties of the network it is trying to protect. This paper provides the analysis of NEFCLASS and JRip which, upon taking SNORT alerts as input and learning from training, attempts to reduce false-positive and negative alerts sent to the system administrator. The major drawback of SNORT is the amount of false alerts generated by the SNORT engine, which must then be analyzed and classified by system administrators. This paper demonstrates that Neuro-Fuzzy Classifiers can be used to lessen this burden and considerably reduce the workload of having to classify alerts by human beings. Keywords—IDS, Security, Networks, False Alerts, Neuro-Fuzzy, JRip. I. I NTRODUCTION T He IDS looked at most closely in this paper, SNORT, is a rules-based network intrusion detection system (NIDS). Martin Roesch, in his paper entitled “SNORT - Lightweight Intrusion Detection for Networks,” says “SNORT fills an important ecological niche in the realm of network security: a cross-platform, lightweight network intrusion detection tool that can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks”. The SANS Institute also reported SNORT as becoming the standard among intrusion detection experts due to the fact that it is open-source, frequently updated, and free of charge [17]. A. False Alerts Problem in SNORT One of the main problems in existing security sensors is their tendency of producing high rates of false positive logs and alerts. Often, a false alert is generated when in fact the event that triggered the alarm can be considered harmless. This condition is aggravated when the attacker has some Pravesh Gaonjur is a Research Scholar from Mauritius, he is currently researching on IDS at the Department of Computer Engineering, Vishwakarma Institute of Technology, Pune, email: p.gaonjur@gmail.com N.Z. Tarapore and S.G. Pukale are Assistant Professors at the Department of Computer Engineering, Vishwakarma Institute of Technology, Pune, email: noshir.tarapore@vit.edu,shraddhanand.pukale@vit.edu prior knowledge of the techniques employed by the security sensor and thus purposely crafts network data to trigger these false alerts. This will not only allow an attacker to control the security sensors, but also overwhelm the ability of the security sensor to function properly due to the large amount of traffic that matches its rules or other triggering alert mechanisms, and hence wasting processing resources. Although an excellent tool, SNORT has three major draw- backs: • Packet Dropping • False Positive Alerts • False Negative Alerts SNORT may not pick up all packets due to speed issues with a network. Other factors which can affect SNORT in this way are the speed of the promiscuous interface and the stack implementation of the operating system. It is important to note that SNORT is able to be overrun with packet flooding which then makes the detection of intrusions more difficult. False positives occur when SNORT sends alerts when it shouldn’t, in other words a false alarm. This can happen for various reasons. Some of these include: • Placement of SNORT outside of the security perimeter: In this case SNORT receives DNS scans, web proxy scans and other various benign informational network that would cause overload for the system administrator. • Site Policy allowing activity that causes IDS alarms: For instance, using the default setting for SNORT which would increase the data inflow to an unmanageable level. • Lack of site awareness in the IDS: Not being aware of services running on hosts, such as IIS (Internet Informa- tion Services) attacks on Apache web servers could lead to false alarms. False Negatives occur because of any attack not matching a signature in the ‘known attack’ database. This can happen because of poor rule design, encrypted or otherwise cleverly [2] disguised traffic, or simply because the attack is new and has never been signature matched. B. Proposed Solution The proposed framework is based on Artificial Intelligence Techniques, which is expected to improve the percentage in the reduction of False Positive alerts. Also the framework should be able to cater to the main problem in the Neuro- Fuzzy Technique, which could not reduce the number of