Hello, I am Anh Le, the second author of the work.
I responded to the concern about false positives in one of the replies above. In brief, investigating the false positives is not the main focus of our work, and it is an area of active research in the intrusion detection system community.
Link to our paper: http://arxiv.org/abs/0908.2007 [arxiv.org]

Hello, I am Anh Le, the second author of the work.

First, investigating the false positive is not the main focus of our work. We did our analysis on the log entries generated by the intrusion detection systems (IDS) deployed at various sites. Granted that there are false positives in the dataset, these false positives, however, are from the IDSs because of, for example, bad signatures and configuration errors. This is itself an area of active research.

Furthermore, the entries included in the blacklist appeared at least one time in the past. In other word, they are flagged as attackers at least once. Hence, they are not really innocent although, again, it's very possible that some of them are false positives.

Link to our paper: http://arxiv.org/abs/0908.2007

Hello, I am Anh Le, the second author of the work. We analyzed the corpus of security logs that were collected by Dshield.org: "Dshield is a repository of firewall and intrusion detection logs collected at hundreds of different networks all over Internet. The participating networks contribute their logs, which are then converted into a common format that includes the following fields: time stamp, contributor ID, source IP address, destination IP address, source port number, destination port number, and protocol number." For more details, please take a look at our paper: http://arxiv.org/abs/0908.2007