Extracting ambiguous sessions from real traffic with intrusion prevention systems

False Positives (FP) and False Negatives (FN) are com-mon in every Intrusion Prevention System (IPS). None of the systems could judge better than others all the time. This work proposes a system of Ambiguous Session Extraction (ASE) to create a pool of ambiguous traffic traces. Traffic traces or sessions are called "ambiguous", meaning they cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. IPS developers can use these ambiguous traffic traces to im-prove the accuracy of their products. The key objective here is to design the ASE system to extract the traces as complete and pure as possible, which gives IPS develop-ers resources for further analysis. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we might find that some sessions are logged or not logged only at a cer-tain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract ambiguous traffic from replayed traffic traces. IPS developers can fur-ther analyse the extracted traffic traces and confirm that some are FNs or FPs. To completely and purely extract an ambiguous session, the ASE uses an association mech-anism based on anchor packets, five tuples and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract an ambiguous session contain-ing multiple connections. We define variation and com-pleteness/purity as the indexes to evaluate the ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%. We also present two case studies, one is a P-FN and the other is a P-FP, found by the ASE and confirmed by the IPS developers to be an FN and an FP, respectively.