Enhancing False Positive Detection in IDS/IPS Using Honeypots: A Case Study with CSE-CIC-2018 Dataset

Abstract

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) protect computer networks against unauthorised access and malicious traffic. False positives, where legitimate network traffic is incorrectly flagged as malicious, compromise the efficiency of these systems. False positives waste valuable resources and reduce the overall reliability of IDS/IPS alerts, leading to potential security risks. Our work aims to address the issue of false positive detection in IDS/IPS by utilising the capabilities of honeypots. Honeypots are deceptive systems designed to mimic legitimate services and attract potential attackers, providing a controlled environment to analyse their behaviour without posing any risk to the network infrastructure. This thesis explores the evolution of honeypots, from their beginning as passive research tools to their modern applications as refined deception mechanisms. The diverse types of honeypots are examined, indicating their potential to lure attackers and provide valuable insights into malicious activities without risking network assets. Next, the research analyses an in-depth survey of existing false positive mitigation techniques in IDS/IPS, analysing their strengths and limitations. Next, various honeypots are studied to identify their potential to effectively capture and differentiate legitimate and malicious traffic. The thesis proposes a hybrid approach that integrates the information gathered from honeypots with the output of the IDS/IPS, enabling more intelligent and precise decision-making for false positive detection. A comprehensive experimental setup is designed, simulating real-world network scenarios to evaluate the effectiveness of the proposed solution. The CSE-CIC-2018 dataset, a widely used and realistic cybersecurity dataset, is employed for experimentation to assess the effectiveness of our approach. Quantitative metrics such as true positive rate, false positive rate, and accuracy are measured to gauge the improvement achieved by the hybrid system. When honeypots are incorporated into the IDS/IPS framework, the results significantly reduce false positives. Furthermore, the study reveals insights into attackers’ behaviour, aiding in developing more robust security policies and threat intelligence. In conclusion, this thesis presents a novel approach using honeypots to mitigate false positive detections in IDS/IPS. The integration of honeypots supports the network to make informed decisions, improving the overall efficiency and reliability of intrusion detection and prevention systems. By reducing false positives, networks can allocate resources more effectively and respond to genuine security threats.