Should I Raise The Red Flag? A comprehensive survey of anomaly scoring methods toward mitigating false alarms

TL;DR

This paper surveys various anomaly scoring methods and false alarm mitigation strategies in intrusion detection systems, emphasizing their importance in reducing false positives and improving system reliability.

Contribution

It provides a comprehensive review and comparison of existing false alarm mitigation techniques in anomaly detection systems and explores promising future research directions.

Findings

Comparison of different false alarm mitigation methods

Identification of effective anomaly scoring enhancements

Highlighting promising techniques in related security tools

Abstract

Nowadays, advanced intrusion detection systems (IDSs) rely on a combination of anomaly detection and signature-based methods. An IDS gathers observations, analyzes behavioral patterns, and reports suspicious events for further investigation. A notorious issue anomaly detection systems (ADSs) and IDSs face is the possibility of high false alarms, which even state-of-the-art systems have not overcome. This is especially a problem with large and complex systems. The number of non-critical alarms can easily overwhelm administrators and increase the likelihood of ignoring future alerts. Mitigation strategies thus aim to avoid raising `too many' false alarms without missing potentially dangerous situations. There are two major categories of false alarm-mitigation strategies: (1) methods that are customized to enhance the quality of anomaly scoring; (2) approaches acting as filtering methods in contexts that aim to decrease false alarm rates. These methods have been widely utilized by many scholars. Herein, we review and compare the existing techniques for false alarm mitigation in ADSs. We also examine the use of promising techniques in signature-based IDS and other relevant contexts, such as commercial security information and event management tools, which are promising for ADSs. We conclude by highlighting promising directions for future research.