Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines, decision trees, and naive Bayes for off-line analysis

Intrusion detection systems monitor network or host packets in an attempt to detect malicious activities on a system. Anomaly detection systems have success in exposing new attacks, commonly referred to as `zero' day attacks, yet have high false positive rates. False positive events occur when an activity is flagged for investigation yet it was determined to be benign upon analysis. Computational power and valuable resources are wasted when the irrelevant data is processed, data flagged, analyst alerted, and the irrelevant data is finally disregarded. In an effort to make intrusion detection systems more efficient the false positive rate must be reduced. This paper proposes a model for reducing false positives using data mining techniques by combining support vector machines (SVM), decision trees, and Naïve Bayes.