An alert fusion model inspired by artificial immune system

In the recent years one of the most focused topics in the field of network security and more specifically intrusion detection systems was to find a solution to reduce the overwhelming alerts generated by IDSs in the network. Inspired by human defence system and danger theory we propose a complementary subsystem for IDS which can be integrated into any existing IDS models to aggregate the alerts in order to reduce them, and subsequently reduce false alarms among the alerts. After evaluation using different datasets and attack scenarios, our model managed to aggregate the alerts by the average rate of 97.5 percent.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  Li Xin,et al.  The anomaly intrusion detection based on immune negative selection algorithm , 2009, 2009 IEEE International Conference on Granular Computing.

[3]  Klaus Julisch,et al.  Using root cause analysis to handle intrusion detection alarms , 2003 .

[4]  Mohammad Mahboubian,et al.  A machine learning based AIS IDS. , 2013 .

[5]  Shanchieh Jay Yang,et al.  Toward Ensemble Characterization and Projection of Multistage Cyber Attacks , 2010, 2010 Proceedings of 19th International Conference on Computer Communications and Networks.

[6]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[7]  Wenke Lee,et al.  Discovering Novel Attack Strategies from INFOSEC Alerts , 2004, ESORICS.

[8]  Shanchieh Jay Yang,et al.  Projecting Cyberattacks Through Variable-Length Markov Models , 2008, IEEE Transactions on Information Forensics and Security.

[9]  Zhitang Li,et al.  A novel technique of recognizing multi-stage attack behaviour , 2006, 2006 International Workshop on Networking, Architecture, and Storages (IWNAS'06).

[10]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[11]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[12]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[13]  P. Matzinger The Danger Model: A Renewed Sense of Self , 2002, Science.

[14]  Ge Yu,et al.  Correlating alerts with a data mining based approach , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[15]  Guo-Tan Liao,et al.  A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecasts , 2011, IEEE Journal on Selected Areas in Communications.

[16]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[17]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[18]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[19]  P. Matzinger,et al.  Danger signals: SOS to the immune system. , 2001, Current opinion in immunology.

[20]  P. Matzinger Tolerance, danger, and the extended family. , 1994, Annual review of immunology.

[21]  Uwe Aickelin,et al.  Danger Theory: The Link between AIS and IDS? , 2003, ICARIS.

[22]  Han Ji-hong Approach to Forecasting Multi-step Attack Based on HMM , 2008 .

[23]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[24]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.