FuzMet: a fuzzy‐logic based alert prioritization engine for intrusion detection systems

Intrusion detection systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large, making their evaluation by security analysts a difficult task. Management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This paper considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction in the number of alerts. Comparative results between SNORT scores and FuzMet alert prioritization onto a real attack dataset are presented, along with a simulation-based investigation of the optimal configuration of FuzMet. The results prove the enhanced intrusion detection accuracy brought by our system. Copyright © 2011 John Wiley & Sons, Ltd. (This paper considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. It also features an alert rescoring technique that leads to a further reduction in the number of alerts. Comparative results between SNORT scores and FuzMet alert prioritization onto a real attack dataset are presented, along with a simulation-based investigation of the optimal configuration of FuzMet.)

[1]  Yan Chen,et al.  Towards scalable and robust distributed intrusion alert fusion with good load balancing , 2006, LSAD '06.

[2]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[3]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[4]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[5]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[6]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[7]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[8]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[9]  Ehab Al-Shaer,et al.  Alert prioritization in Intrusion Detection Systems , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[10]  Y. V. Ramana Reddy,et al.  TRINETR: an intrusion detection alert management systems , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[11]  Jf Baldwin,et al.  An Introduction to Fuzzy Logic Applications in Intelligent Systems , 1992 .

[12]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[13]  L X Wang,et al.  Fuzzy basis functions, universal approximation, and orthogonal least-squares learning , 1992, IEEE Trans. Neural Networks.

[14]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[15]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[16]  Ehab Al-Shaer,et al.  Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[17]  Jie Lei,et al.  A novel algorithm SF for mining attack scenarios model , 2006, 2006 IEEE International Conference on e-Business Engineering (ICEBE'06).

[18]  Gregory A. Matthews,et al.  The Intrusion Detection Exchange Protocol (IDXP) , 2007, RFC.

[19]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[20]  Stuart Staniford-chen,et al.  The Common Intrusion Detection Framework - Data Formats , 1998 .

[21]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[22]  Hung T. Nguyen,et al.  A First Course in Fuzzy Logic , 1996 .