Alert Correlation Using a Novel Clustering Approach

Since the birth of Intrusion Detection System (IDS) technology, the most significant implementation problem is the enormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful to the administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising, the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[3]  Lucas M. Venter,et al.  A comparison of Intrusion Detection systems , 2001, Comput. Secur..

[4]  Norbik Bashah Idris,et al.  Improved Intrusion Detection System Using Fuzzy Logic for Detecting Anamoly and Misuse Type of Attacks , 2009, 2009 International Conference of Soft Computing and Pattern Recognition.

[5]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[6]  R Vignesh,et al.  A Cache Oblivious based GA Solution for Clustering Problem in IDS , 2010 .

[7]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[8]  Gongzhu Hu,et al.  Design and Performance Evaluation of a Machine Learning-Based Method for Intrusion Detection , 2010 .

[9]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[10]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[11]  tionChristopher Kruegel,et al.  Using de ision treesto improve signature-based intrusion dete , 2003 .

[12]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[13]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[14]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[15]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.

[16]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[17]  Thomas L. Casavant,et al.  Alternative Parallelization Strategies in EST Clustering , 2003, PaCT.

[18]  S. Sibi Chakkaravarthy,et al.  Intrusion Detection system: A Review of the state of the art , 2014 .

[19]  Joseph B. Evans,et al.  Wireless networking security: open issues in trust, management, interoperation and measurement , 2006, Int. J. Secur. Networks.

[20]  Klaus Julisch,et al.  Data Mining for Intrusion Detection , 2002, Applications of Data Mining in Computer Security.

[21]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[22]  Ray Hunt,et al.  Intrusion detection techniques and approaches , 2002, Comput. Commun..

[23]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[24]  Ajith Abraham,et al.  Modeling intrusion detection system using hybrid intelligent systems , 2007, J. Netw. Comput. Appl..

[25]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[26]  Christopher Leckie,et al.  Decentralized multi-dimensional alert correlation for collaborative intrusion detection , 2009, J. Netw. Comput. Appl..

[27]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[28]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[29]  Thomas L. Casavant,et al.  A Parallel Expressed Sequence Tag (EST) Clustering Program , 2001, PaCT.

[30]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[31]  Christian Lovis,et al.  Research Paper: Fast Exact String Pattern-matching Algorithms Adapted to the Characteristics of the Medical Language , 2000, J. Am. Medical Informatics Assoc..

[32]  Harold Joseph Highland,et al.  The 17th NSCS abstructArtificial Intelligence and Intrusion Detection: Current and Future Directions : Jeremy Frank, University of California, Davis, CA , 1995 .