Abstract. Anomaly detection algorithms used to identify the network attacks frequently produce misclassifications. Between the misclassifications, the false positives, i.e., false alarms that occur when the system misclassifies a legitimate behaviour as anomaly, are the most important ones. We will break down the false positives produced by the anomaly detection systems into categories. For each category, we will analyse its origin, impact on the user and impact on security properties of the system and possible mitigation techniques. We will also argue for further research in the areas where the impact on system usability is high, but the current techniques don’t allow us to make a reliable decision.
Bio. Martin is a Principal engineer with Cisco Systems security group. He has been working in the are of machine learning, anomaly detection and network security. In the past, he was a Founder&CEO of Cognitive Security, acquired by Cisco in 2013. The VC-funded, spin-off company was created to develop a commercial technology based on the research performed by Martin and his team at Czech Technical University. Martin holds an engineering degree from Ecole Centrale Paris and a Ph.D. in AI from CTU in Prague.