Finding the Needle: Suppression of False Alarms in Large Intrusion Detection Data Sets

Managed security service providers (MSSPs) must manage and monitor thousands of intrusion detection sensors. The sensors often vary by manufacturer and software version, making the problem of creating generalized tools to separate true attacks from false positives particularly difficult. Often times it is useful from an operations perspective to know if a particular sensor is acting out of character. We propose a solution to this problem using anomaly detection techniques over the set of alarms produced by the sensors. Similar to the manner in which an anomaly based sensor detects deviations from normal user or system behavior, we establish the baseline behavior of a sensor and detect deviations from this baseline. We show that departures from this profile by a sensor have a high probability of being artifacts of genuine attacks. We evaluate a set of time-based Markovian heuristics against a simple compression algorithm and show that we are able to detect the existence of all attacks which were manually identified by security personnel, drastically reduce the number of false positives, and identify attacks which were overlooked during manual evaluation.

[1]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[2]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[3]  Kamal Ali,et al.  Partial Classification Using Association Rules , 1997, KDD.

[4]  Dirk Ourston,et al.  Coordinated Internet attacks: responding to attack complexity , 2004, J. Comput. Secur..

[5]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[6]  Rahul Khanna,et al.  Control theoretic approach to intrusion detection using a distributed hidden Markov model , 2008, IEEE Wireless Communications.

[7]  Svein J. Knapskog,et al.  Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[8]  L. Baum,et al.  Statistical Inference for Probabilistic Functions of Finite State Markov Chains , 1966 .

[9]  Somesh Jha,et al.  Markov chains, classifiers, and intrusion detection , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[10]  Terry A. Welch,et al.  A Technique for High-Performance Data Compression , 1984, Computer.

[11]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[12]  L. Baum,et al.  An inequality and associated maximization technique in statistical estimation of probabilistic functions of a Markov process , 1972 .

[13]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[14]  Kjetil Haslum,et al.  Multisensor Real-time Risk Assessment using Continuous-time Hidden Markov Models , 2006, 2006 International Conference on Computational Intelligence and Security.

[15]  Yasser Yasami,et al.  An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[16]  L. Baum,et al.  An inequality with applications to statistical estimation for probabilistic functions of Markov processes and to a model for ecology , 1967 .

[17]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[18]  Stefano Zanero Behavioral Intrusion Detection , 2004, ISCIS.

[19]  Tak Kuen Siu,et al.  Markov Chains: Models, Algorithms and Applications , 2006 .

[20]  Roberto Perdisci,et al.  Sensing Attacks in Computers Networks with Hidden Markov Models , 2007, MLDM.

[21]  Svein J. Knapskog,et al.  DIPS: A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment , 2007, Third International Symposium on Information Assurance and Security.

[22]  Ye Du,et al.  HMMs for Anomaly Intrusion Detection , 2004, CIS.

[23]  Svein J. Knapskog,et al.  On Stochastic Modeling for Integrated Security and Dependability Evaluation , 2006, J. Networks.

[24]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[25]  L. Baum,et al.  A Maximization Technique Occurring in the Statistical Analysis of Probabilistic Functions of Markov Chains , 1970 .

[26]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[27]  Rahul Khanna,et al.  Distributed and Control Theoretic Approach to Intrusion Detection , 2022 .

[28]  Connie M. Borror,et al.  Robustness of the Markov-chain model for cyber-attack detection , 2004, IEEE Transactions on Reliability.