Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Signature-based intrusion detection systems (IDSs) have been widely deployed in network environments aiming to defend against different kinds of attacks. However, a large number of alarms, especially noncritical alarms could be generated during the detection, which can greatly lower the effectiveness of detection and increase the difficulty in analyzing the generated IDS alarms. The main reason is that the detection capability of a signature-based IDS heavily depends on its signatures, whereas current IDS signatures are short of information related to actual deployment (i.e., lacking of contextual information). In addition, the traditional signature matching is a key limiting factor for IDSs in which the processing burden is at least linear to the size of an input string. To mitigate these issues, in this paper, we propose a novel scheme of hash-based contextual signatures that combines the original intrusion detection signatures with contextual information and hash functions. By using hash functions, our scheme can be used to construct an adaptive hash-based non-critical alarm filter which can further improve the performance of existing contextual signatures in filtering out non-critical alarms. Some examples of contextual information matching are also provided. In the evaluation, we discuss how to choose appropriate hash functions and investigate the performance upon implementation of the scheme with a real dataset and in a real network environment. The experimental results are positive and indicate that our scheme is encouraging and effective in filtering out non-critical alarms.

[1]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[3]  François Gagnon,et al.  Automatic Evaluation of Intrusion Detection Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Wenjuan Li,et al.  Constructing Context-based Non-Critical Alarm Filter in Intrusion Detection , 2012 .

[5]  Lam-for Kwok,et al.  A Generic Scheme for the Construction of Contextual Signatures with Hash Function in Intrusion Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[6]  Timothy W. Finin,et al.  Extracting Information about Security Vulnerabilities from Web Text , 2011, 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology.

[7]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[8]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[9]  Peter K. Pearson,et al.  Fast hashing of variable-length text strings , 1990, CACM.

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.

[12]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[13]  Sandro Etalle,et al.  ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems , 2007, LISA.

[14]  François Gagnon,et al.  Using Contextual Information for IDS Alarm Classification (Extended Abstract) , 2009, DIMVA.

[15]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[16]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[17]  Francois Gagnon,et al.  Using Contextual Information for IDS Alarm Classification , 2009 .

[18]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[19]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[20]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[21]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[22]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[23]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[24]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[25]  Lionel C. Briand,et al.  Toward Automatic Generation of Intrusion Detection Verification Rules , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[26]  L. Nalini,et al.  A Comprehensive Approach to Intrusion Detection Alert Correlation , 2015 .

[27]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[29]  Matt Bishop,et al.  Verify results of network intrusion alerts using lightweight protocol analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[30]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[31]  Christoph Meinel,et al.  A New Alert Correlation Algorithm Based on Attack Graph , 2011, CISIS.

[32]  Monis Akhlaq,et al.  Event-Based Alert Correlation System to Detect SQLI Activities , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[33]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[34]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[35]  Ana R. Cavalli,et al.  Network protocol interoperability testing based on contextual signatures and passive testing , 2009, SAC '09.

[36]  David Davies,et al.  Security focus , 1987, Comput. Law Secur. Rev..

[37]  Bo-Chao Cheng,et al.  A Context Adaptive Intrusion Detection System for MANET , 2011, Comput. Commun..

[38]  Albert L. Zobrist,et al.  A New Hashing Method with Application for Game Playing , 1990 .

[39]  Zhenkai Liang,et al.  Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration , 2009, RAID.

[40]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[41]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[42]  Richard Lippmann,et al.  The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection , 2002, RAID.

[43]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[44]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.