24-07-2012, 03:22 PM
Online Intrusion Alert Aggregation with Generative Data Stream Modeling
Online Intrusion Alert Aggregation.pdf (Size: 2.58 MB / Downloads: 50)
INTRODUCTION
INTRUSION detection systems (IDS) are besides other
protective measures such as virtual private networks,
authentication mechanisms, or encryption techniques very
important to guarantee information security. They help to
defend against the various threats to which networks and
hosts are exposed to by detecting the actions of attackers or
attack tools in a network or host-based manner with misuse
or anomaly detection techniques [1].
At present, most IDS are quite reliable in detecting
suspicious actions by evaluating TCP/IP connections or log
files, for instance. Once an IDS finds a suspicious action, it
immediately creates an alert which contains information
about the source, target, and estimated type of the attack
(e.g., SQL injection, buffer overflow, or denial of service).
RELATED WORK
Most existing IDS are optimized to detect attacks with high
accuracy. However, they still have various disadvantages
that have been outlined in a number of publications and a lot
of work has been done to analyze IDS in order to direct
future research (cf. [5], for instance). Besides others, one
drawback is the large amount of alerts produced. Recent
research focuses on the correlation of alerts from (possibly
multiple) IDS. If not stated otherwise, all approaches
outlined in the following present either online algorithms
or—as we see it—can easily be extended to an online version.
ANOVEL ONLINE ALERT AGGREGATION TECHNIQUE
In this section, we describe our new alert aggregation
approach which is—at each point in time—based on a
probabilistic model of the current situation. To outline the
preconditions and objectives of alert aggregation, we start
with a short sketch of our intrusion framework. Then, we
briefly describe the generation of alerts and the alert format.
We continue with a new clustering algorithm for offline
alert aggregation which is basically a parameter estimation
technique for the probabilistic model. After that, we extend
this offline method to an algorithm for data stream clustering
which can be applied to online alert aggregation. Finally, we
make some remarks on the generation of meta-alerts.
Alert Generation and Format
In this section, we make some comments on the information
contained in alerts, the objects that must be aggregated, and
on their format. As the concrete content and format depend
on a specific task and on certain realizations of the sensors
and detectors, some more details will be given in Section 4
together with the experimental conditions.
At the sensor layer, sensors determine the values of
attributes that are used as input for the detectors as well as
for the alert clustering module. Attributes in an event that
are independent of a particular attack instance can be used
for classification at the detection layer.
Offline Alert Aggregation
In this section, we introduce an offline algorithm for alert
aggregation which will be extended to a data stream
algorithm for online aggregation in Section 3.4.
Assume that a host with an ID agent is exposed to a
certain intrusion situation as sketched in Fig. 2: One or
several attackers launch several attack instances belonging
to various attack types. The attack instances each cause a
number of alerts with various attribute values. Only two of
the attributes are shown and the correspondence of alerts
and (true or estimated) attack instances is indicated by
different symbols.