An Improved Intrusion Detection System Based on a Two Stage Alarm Correlation to Identify Outliers and False Alerts

To ensure the protection of computer networks from attacks, an intrusion detection system IDS should be included in the security architecture. Despite the detection of intrusions is the ultimate goal, IDSs generate a huge amount of false alerts which cannot be properly managed by the administrator, along with some noisy alerts or outliers. Many research works were conducted to improve IDS accuracy by reducing the rate of false alerts and eliminating outliers. In this paper, we propose a two-stage process to detect false alerts and outliers. In the first stage, we remove outliers from the set of meta-alerts using the best outliers detection method after evaluating the most cited ones in the literature. In the last stage, we propose a binary classification algorithm to classify meta-alerts whether as false alerts or real attacks. Experimental results show that our proposed process outperforms concurrent methods by considerably reducing the rate of false alerts and outliers.

[1]  Raymond T. Ng,et al.  Algorithms for Mining Distance-Based Outliers in Large Datasets , 1998, VLDB.

[2]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[3]  Habiba Drias,et al.  An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge , 2012, Applied Intelligence.

[4]  Rajeev Rastogi,et al.  Efficient algorithms for mining outliers from large data sets , 2000, SIGMOD 2000.

[5]  Boleslaw K. Szymanski,et al.  NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS , 2002 .

[6]  Wei-Zhi Wu,et al.  Neighborhood operator systems and approximations , 2002, Inf. Sci..

[7]  A. K. Bhattacharjee,et al.  IDS alerts classification using knowledge-based evaluation , 2012, 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012).

[8]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[9]  Peter J. Rousseeuw,et al.  Robust regression and outlier detection , 1987 .

[10]  Chih-Fong Tsai,et al.  CANN: An intrusion detection system based on combining cluster centers and nearest neighbors , 2015, Knowl. Based Syst..

[11]  Huwaida Tagelsir Elshoush,et al.  An Improved Framework for Intrusion Alert Correlation , 2012 .

[12]  Yan Zhang,et al.  IDS Alert Classification Model Construction Using Decision Support Techniques , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[13]  Francisco Herrera,et al.  On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on Intrusion Detection Systems , 2015, Expert Syst. Appl..

[14]  Khaled Labib,et al.  NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps , 2002 .

[15]  Bianca Zadrozny,et al.  Outlier detection by active learning , 2006, KDD '06.

[16]  Maria Papadaki,et al.  A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm , 2010, Comput. Secur..

[17]  Clara Pizzuti,et al.  Fast Outlier Detection in High Dimensional Spaces , 2002, PKDD.

[18]  Peter J. Rousseeuw,et al.  Robust Regression and Outlier Detection , 2005, Wiley Series in Probability and Statistics.

[19]  Yumin Chen,et al.  Neighborhood outlier detection , 2010, Expert Syst. Appl..

[20]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD 2000.