Log Analyzer for Network Forensics and Incident Reporting

Network Intrusion Detection Systems are used in network forensics and network auditing to log suspicious activities that potentially signify security violations on the networks as alerts. However, the efficacies of intrusion aggregations to succinctly process audit logs that are gaining wider acceptability in computer security are flawed because the methods frequently require high level of expertise to validate each alert and the methods only focus on interesting events. Thus, deceptive attacks that are intentionally launched to be uninteresting events frequently elude detections. Consequently, aggregated alerts are not seriously considered for litigation and incident handling exercises. Therefore, this paper presents extensive investigations of these problems. We deployed Snort to sniff offline datasets in intrusion detection mode and we clustered the alerts of each dataset with several filtering criteria. Furthermore, the results obtained have established how to detect various kinds of interesting and uninteresting attacks that frequently elude detections.

[1]  Urko Zurutuza,et al.  INTRUSION DETECTION ALARM CORRELATION: A SURVEY , 2004 .

[2]  Joshua Ojo Nehinbe,et al.  A Simple Method for Improving Intrusion Detections in Corporate Networks , 2009, ISDF.

[3]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[4]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Shian-Shyong Tseng,et al.  A decision support system for constructing an alert classification model , 2009, Expert Syst. Appl..

[6]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[7]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[8]  Wenke Lee,et al.  Discovering Novel Attack Strategies from INFOSEC Alerts , 2004, ESORICS.

[9]  Joshua Ojo Nehinbe,et al.  Adaptive Clustering Method for Reclassifying Network Intrusions , 2009, ISDF.

[10]  Nehinbe Ojo Joshua Adaptive Clustering Method for Reclassifying Network Intrusions , 2009 .

[11]  Ali A. Ghorbani,et al.  A Rule-based Temporal Alert Correlation System , 2007, Int. J. Netw. Secur..

[12]  Michael Semling,et al.  Alarm Reduction and Correlation in Intrusion Detection Systems , 2004, DIMVA.

[13]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[14]  Rabat Morocco,et al.  Improving the Quality of Alerts with Correlation in Intrusion Detection , 2007 .

[15]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[16]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[17]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[18]  Ali Movaghar-Rahimabadi,et al.  Intrusion Detection: A Survey , 2008, 2008 Third International Conference on Systems and Networks Communications.

[19]  Jaideep Srivastava,et al.  Intrusion Detection: A Survey , 2005 .