TRINETR: an intrusion detection alert management systems

In response to the daunting threats of cyber attacks, a promising approach is computer and network forensics. Intrusion detection system is an indispensable part of computer and network forensics. It is deployed to monitor network and host activities including dataflows and information accesses etc. But current intrusion detection products presents many flaws including alert flooding, too many false alerts and isolated alerts etc. We describe an ongoing project to develop an intrusion alert management system $TRINETR. We present a collaborative architecture design for multiple intrusion detection systems to work together to detect real-time network intrusions. The architecture is composed of three parts: alert aggregation, knowledge-based alert evaluation and alert correlation. The architecture is aimed at reducing the alert overload by aggregating alerts from multiple sensors to generate condensed views, reducing false positives by integrating network and host system information into alert evaluation process and correlating events based on logical relations to generate global and synthesized alert report. The first two parts of the architecture have been implemented and the implementation results are presented.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  Alan M. Christie,et al.  Network Survivability Analysis Using Easel , 2002 .

[3]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[4]  Suresh L. Konda,et al.  A Simulation Model for Managing Survivability of Networked Information Systems , 2000 .

[5]  Andrew P. Moore,et al.  Foundations for Survivable System Development: Service Traces, Intrusion Traces, and Evaluation Models , 2001 .

[6]  John C. Knight,et al.  A security architecture for survivability mechanisms , 2001 .

[7]  David A. Fisher,et al.  Emergent algorithms-a new method for enhancing survivability in unbounded systems , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[8]  Richard S. Hall,et al.  Evaluating Software Deployment Languages and Schema , 1998 .

[9]  John McHugh,et al.  A risk driven process model for the development of trusted systems , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[10]  Morrie Gasser,et al.  Security Kernel Design and Implementation: An Introduction , 1983, Computer.

[11]  Michael Gertz,et al.  THE WILLOW SURVIVABILITY ARCHITECTURE , 2001 .

[12]  David A. Fisher,et al.  Simulating the emergent behavior of complex software-intensive organizations , 2000 .

[13]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[14]  David S. Rosenblum,et al.  Design and evaluation of a wide-area event notification service , 2001, TOCS.

[15]  C. Granger Investigating causal relations by econometric models and cross-spectral methods , 1969 .

[16]  John McHugh,et al.  Survivable Network Analysis Method , 2000 .

[17]  Matti A. Hiltunen,et al.  Survivability through customization and adaptability: the Cactus approach , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[18]  A. Moore,et al.  Survivability through Intrusion-Aware Design , 2001 .

[19]  Teresa F. Lunt,et al.  Knowledge-based intrusion detection , 1989, [1989] Proceedings. The Annual AI Systems in Government Conference.

[20]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[21]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[22]  Richard S. Hall,et al.  An architecture for post-development configuration management in a wide-area network , 1997, Proceedings of 17th International Conference on Distributed Computing Systems.

[23]  Gail-Joon Ahn,et al.  Dynamic and risk-aware network access management , 2003, SACMAT '03.

[24]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[25]  Richard S. Hall,et al.  A cooperative approach to support software deployment using the Software Dock , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[26]  Sang-Choon Kim,et al.  Design of the Decision Support System for Network Security Management to Secure Enterprise Network , 2001, ISC.

[27]  H. Javitz,et al.  Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System ( NIDES ) 1 , 1997 .

[28]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[29]  Wenke Lee,et al.  Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management , 2002, Journal of Network and Systems Management.

[30]  Matt Bishop Trends in academic research: vulnerabilities analysis and intrusion detection , 2002, Comput. Secur..

[31]  Matthew C. Elder,et al.  Error recovery in critical infrastructure systems , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[32]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[33]  Qi Zhang,et al.  Indra: a peer-to-peer approach to network intrusion detection and prevention , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[34]  Somesh Jha,et al.  Survivability analysis of network specifications , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[35]  Ronald R. Willis,et al.  Software quality engineering: a total technical and management approach , 1988 .

[36]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[37]  Matthew C. Elder,et al.  Survivability architectures: issues and approaches , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[38]  Harrick M. Vin,et al.  Heterogeneous networking: a new survivability paradigm , 2001, NSPW '01.

[39]  Robert E. Ball,et al.  The fundamentals of aircraft combat survivability analysis and design , 1985 .

[40]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[41]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[42]  Nancy R. Mead,et al.  Survivable Network Systems: An Emerging Discipline , 1997 .

[43]  John McHugh,et al.  Architectural Approaches to Information Survivability , 1997 .

[44]  Brian Randell,et al.  Fundamental Concepts of Dependability , 2000 .

[45]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[46]  V. Bharadwaj,et al.  A collaborative architecture for intrusion detection systems with intelligent agents and knowledge-based alert evaluation , 2004, 8th International Conference on Computer Supported Cooperative Work in Design.

[47]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[48]  Alan R. Hevner,et al.  Principles of Information Systems Analysis and Design , 1986 .

[49]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[50]  Robert P. Goldman,et al.  Probabilistic Plan Recognition for Hostile Agents , 2001, FLAIRS Conference.

[51]  Gail-Joon Ahn,et al.  Intrusion Detection Force: an infrastructure for Internet-scale intrusion detection , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[52]  John McHugh,et al.  Life-Cycle Models for Survivable Systems , 2002 .

[53]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[54]  David A. Fisher Survivability and Simulation , 2000 .

[55]  J. Knight,et al.  ON THE DEFINITION OF SURVIVABILITY , 2000 .

[56]  Matti A. Hiltunen,et al.  Enhancing survivability of security services using redundancy , 2001, 2001 International Conference on Dependable Systems and Networks.

[57]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[58]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[59]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[60]  K. G. Wika,et al.  On the enforcement of software safety policies , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[61]  Joseph S. Sherif,et al.  Intrusion detection: systems and models , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[62]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[63]  David A. Fisher,et al.  Survivability—a new technical and business perspective on security , 1999, NSPW '99.

[64]  Raman K. Mehra,et al.  Extracting Precursor Rules from Time SeriesA Classical Statistical Viewpoint , 2002, SDM.

[65]  John McHugh,et al.  A Research Agenda for Survivable Systems , 2000 .

[66]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.