Intrusion detection system (IDS) is a device or software to monitor a network system for malicious activity. In terms of detection results, there could be two types of false, namely, the false positive (FP) which incorrectly detects normal traffic as abnormal, and the false negative (FN) which incorrectly judges malicious traffic as normal. To protect the network system, we expect that FN should be minimized as low as possible. However, since there is a trade-off between FP and FN when IDS detects malicious traffic, it is difficult to reduce the both metrics simultaneously. In this paper, we propose a sequential classifiers combination method to reduce the effect of the trade-off. The single classifier suffers a high FN rate in general, therefore additional classifiers are sequentially combined in order to detect more positives (reduce more FN). Since each classifier can reduce FN and does not generate much FP in our approach, we can achieve a reduction of FN at the final output. In evaluations, we use NSL-KDD dataset, which is an updated version of KDD Cup'99 dataset. WEKA is utilized as a classification tool in experiment, and the results show that the proposed approach can reduce FN while improving the sensitivity and accuracy.

There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.