14-09-2013, 12:55 PM
Online and Offline Intrusion Alert Aggregation
Offline Intrusion.pdf (Size: 763.15 KB / Downloads: 48)
ABSTRACT
Online intrusion detection systems play an important role in
protecting IT systems. Tools like Snort, firewall also detect
intrusions. Such intrusion detection systems provide feedback
in the form of alerts. However, the number of alerts is more in
number and often security personnel are confused with such
voluminous messages. This makes them difficult to take
decision immediately. They take time to analyze the alerts and
come to a conclusion for directions for taking actions. The
security risk estimation and resolving the security problem
depends on quick understanding of alerts. The bulk of alerts
given by low level intrusion detection systems make it time
consuming to arrive at decisions. To overcome this problem
the alerts provided by low level detection systems can be
programmatically aggregated and summarized alerts can be
given to security personnel so as to enable them to draw
conclusions quickly and take required actions. We propose a
new technique for the purpose of online alert aggregation
based on dynamic, probabilistic model. The solution is based
on maximum likelihood approach which is a data stream
version. The empirical results revealed that the proposed
solution is effective and useful.
INTRODUCTION
Information security is important in IT systems. As
emergence of innovative technologies in the arena of
computing and ITC and the involvement of networks like
Internet, security threats are increasing in a rapid pace. There
are many techniques to prevent such attacks. They include
authentication, authorization, cryptographic techniques like
encryption, decryption; usage of virtual private networks and
Intrusion Detection Systems (IDSs). Most of the IDS are
capable of detecting attacks made by adversaries and defend
the security of IT systems. The detection system is
independent systems or also distributed collaborated systems.
It may work in different kinds of networks including Wireless
Sensor Networks (WSNs). They are of two types again.
RELATED WORK
IDS are widely used in IT systems. They are reviewed by
many researchers. Most of them are very effective and work
with highest accuracy. In spite of this, the current IDSs have
many problems. Lot of effort has been put in the past to
overcome these problems. Many researchers analyzed existing
IDEs and stated various problems of IDS. One such problem
they identified is that IDS produces large number of security
alerts that can make the job of security administrator difficult
to take decisions quickly due to the confusing and conflicting
alerts out of the flood of them. The researchers also provided
directions for future work [5]. All IDS are having the
provision of producing security alerts as and when required.
Many approaches came into existence to solve those
problems. However, [6] came with a comprehensive solution
for alert correlation. One of the steps followed by [6] in
correlation is to reconstruct attack thread. It is also known as
attack instance recognition. It has not used any clustering
algorithms but simple sorting is used. The results of the
sorting are presented in a temporal window. It has duplicates
of alerts as well. This duplicates problem has been prevented
in [7] which is mostly similar to [6]. Thus it provides more
concise way of alert presentation. This kind of approach is
also used in [8] where clustering is used for the same purpose.
Alert clustering approach is used by [9] based on the
similarity of attack occurrences. It considers certain time and
any two instances of attack are considered similar when both
of them occur in a specific time window besides the exact
similarity of their destination and source.
Offline Alert Aggregation
Envisage that various attacks are made on the TCP or UDP
traffic and the flood of generated alerts labeled with false
positives, false negatives etc. This logged information can be
analyzed and the alert aggregation can be done offline.
However, the following are the problematic situations with
respect to alert aggregation.
Non recognition of false alerts and wrong
assignment of them to clusters.
Genuine alerts are assigned to clusters wrongly.
The splitting of clusters is done wrongly.
Many clusters are clubbed into one in a wrong way.
The offline alert aggregation algorithm known as expectation
maximization is presented in fig. 2.
IMPLEMENTATION AND RESULTS
We have implemented a custom simulator for online intrusion
alert aggregation using Java programming language. The
software used to implement this is Eclipse, JDK 1.6, and JME.
The system was run in Windows XP OS. The implementation
has GUI developed using SWING API of Java programming
language. For attack simulation, IDS and alert aggregation
simulation user interfaces were built. The UI screen for attack
simulation is as shown in fig. 5.
CONCLUSION
The proposed approach for intrusion detection and alert
aggregation has been implemented using a custom simulator
that shows the process of intrusion detection and also
aggregation of alerts to obtain meaningful and summarized
alerts that help in taking decisions quickly. The proposed
prototype application supports simulation of various kinds of
attacks like port scanning, sniffing, and buffer overflow,
denial of service, resource exhaustion, password attacks,
viruses, worms, and Trojan horses. The experimental results
revealed that the simulation study of the online intrusion
detection alert aggregation is effect and useful when
implemented in real time applications. It can be further
improved by considering some more security attacks.