Alert correlation framework using a novel clustering approach

Currently, the primary and pressing issue in IDS implementation is the enormous number of alerts generated by the IDS sensors. Moreover, due to this obtrusive predicament, two other problems have emerged, first is the difficulty in processing the alerts accurately and second is the reduction in performance rate in terms of time and memory capacity while processing these alerts. The purpose of this research is to construct a holistic solution that is able to firstly reduce the number of alerts to be processed and at the same time produce a high quality attack scenarios that are meaningful to the administrators in a timely manner. To achieve these goals, alerts generated by IDS sensors need to be correlated and organized in an appropriate approach. Thus the significant contribution of this research is to create an integrated operational framework for alert processing that reduces the amount of alerts to be processed and creates more meaningful attack scenarios to be analyzed. We are presenting the results obtained from the clustering algorithm and discuss its significant contribution to practitioners in an actual working environment.

[1]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[2]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[3]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[4]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  Lucas M. Venter,et al.  A comparison of Intrusion Detection systems , 2001, Comput. Secur..

[6]  Christian Lovis,et al.  Research Paper: Fast Exact String Pattern-matching Algorithms Adapted to the Characteristics of the Medical Language , 2000, J. Am. Medical Informatics Assoc..

[7]  M. Gordeev Intrusion Detection: Techniques and Approaches , 2003 .

[8]  Thomas L. Casavant,et al.  A Parallel Expressed Sequence Tag (EST) Clustering Program , 2001, PaCT.

[9]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[10]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[11]  Alfonso Valdes,et al.  An Approach to Sensor Correlation , 2000 .

[12]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[13]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[14]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[15]  Gongzhu Hu,et al.  Design and Performance Evaluation of a Machine Learning-Based Method for Intrusion Detection , 2010 .

[16]  Harold Joseph Highland,et al.  The 17th NSCS abstructArtificial Intelligence and Intrusion Detection: Current and Future Directions : Jeremy Frank, University of California, Davis, CA , 1995 .

[17]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[18]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[19]  R Vignesh,et al.  A Cache Oblivious based GA Solution for Clustering Problem in IDS , 2010 .

[20]  Thomas L. Casavant,et al.  Alternative Parallelization Strategies in EST Clustering , 2003, PaCT.

[21]  Joseph B. Evans,et al.  Wireless networking security: open issues in trust, management, interoperation and measurement , 2006, Int. J. Secur. Networks.

[22]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[23]  Norbik Bashah Idris,et al.  Improved Intrusion Detection System Using Fuzzy Logic for Detecting Anamoly and Misuse Type of Attacks , 2009, 2009 International Conference of Soft Computing and Pattern Recognition.

[24]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[25]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[26]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.

[27]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Christopher Leckie,et al.  Decentralized multi-dimensional alert correlation for collaborative intrusion detection , 2009, J. Netw. Comput. Appl..

[29]  Annual Computer Security Applications Conference, ACSAC '13, New Orleans, LA, USA, December 9-13, 2013 , 2013, ACSAC.