Analyzing Root Causes of Intrusion Detection False-Negatives: Methodology and Case Study

TL;DR

This paper introduces a methodology to analyze why intrusion detection systems fail to detect certain attacks, using a case study on Snort with real-world data to gain insights for improving future IDS design.

Contribution

It presents a novel methodology for root cause analysis of IDS false-negatives and applies it to a real-world case study, providing foundational insights for next-generation IDS development.

Findings

Identified common root causes of false-negatives in IDS

Provided insights to guide the design of more effective IDS

Demonstrated the methodology on real-world attack data

Abstract

Intrusion Detection Systems (IDSs) are a necessary cyber defense mechanism. Unfortunately, their capability has fallen behind that of attackers. This motivates us to improve our understanding of the root causes of their false-negatives. In this paper we make a first step towards the ultimate goal of drawing useful insights and principles that can guide the design of next-generation IDSs. Specifically, we propose a methodology for analyzing the root causes of IDS false-negatives and conduct a case study based on Snort and a real-world dataset of cyber attacks. The case study allows us to draw useful insights.