Heterogeneous Multi-sensor IDS Alerts Aggregation using Semantic Analysis

One of the major limitations of current Intrusion Detection System (IDS) technology is alerts flooding which is a time consuming and resource intensive problem for intrusion analysts and organizations. Alerts flooding has been handled using alerts aggregation techniques. In general, the majority of IDS alerts aggregation techniques use alerts similarity to aggregate and summarize alerts. Because intrusion characteristics are expressed using symbolic attributes, measuring the similarity between IDS alerts is difficult. Previous techniques in the area of alerts aggregation mostly use perfect match or ad-hoc techniques to measure the similarity between alerts attributes. In this paper, we propose a new IDS alerts aggregation and reduction technique based on semantic similarity between intrusions. We define a new metric to measure semantic similarity between different intrusion instances. In addition we propose a new information loss metric to measure the quality of the alert aggregation process. Previous techniques only used alerts reduction rate to evaluate the alerts aggregation process. Alerts reduction rate is a volume metric and is not sufficient to evaluate the quality of the alert aggregation process. Experimental evaluation using existing IDS benchmark datasets shows that our proposed technique can more effectively aggregate IDS alerts and control alerts flooding compared to previous techniques in the area, while still maintaining relatively lower level of infor-

[1]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[2]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[3]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[4]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[5]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[6]  Andrew James Simmonds,et al.  An Ontology for Network Security Attacks , 2004, AACC.

[7]  Simin Nadjm-Tehrani,et al.  ADWICE - Anomaly Detection with Real-Time Incremental Clustering , 2004, ICISC.

[8]  Tony Veale,et al.  An Intrinsic Information Content Metric for Semantic Similarity in WordNet , 2004, ECAI.

[9]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[10]  Christopher Krügel,et al.  Intrusion Detection and Correlation - Challenges and Solutions , 2004, Advances in Information Security.

[11]  Ming Xu,et al.  Distributed Intrusion Alert Fusion Based on Multi Keyword , 2007, The First International Symposium on Data, Privacy, and E-Commerce (ISDPE 2007).

[12]  Xuejiao Liu,et al.  Alert Fusion Based on Cluster and Correlation Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[13]  Ming Xu,et al.  An IDS Alert Fusion Approach Based on Happened Before Relation , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[14]  Zhihong Tian,et al.  Alertclu: A Realtime Alert Aggregation and Correlation System , 2008, CW.

[15]  Xuejiao Liu,et al.  Applying Data Fusion in Collaborative Alerts Correlation , 2008, 2008 International Symposium on Computer Science and Computational Technology.

[16]  Gustavo A. Isaza,et al.  An Intrusion Detection and Prevention Model Based on Intelligent Multi-Agent Systems, Signatures and Reaction Rules Ontologies , 2009, PAAMS.

[17]  Yu Min,et al.  Design and implementation of a distributed IDS alert aggregation model , 2009, 2009 4th International Conference on Computer Science & Education.

[18]  Jie Ma,et al.  A Fusion Model for Network Threat Identification and Risk Assessment , 2009, 2009 International Conference on Artificial Intelligence and Computational Intelligence.

[19]  Wanlei Zhou,et al.  A Lightweight Intrusion Alert Fusion System , 2010, 2010 IEEE 12th International Conference on High Performance Computing and Communications (HPCC).

[20]  Issa Traoré,et al.  Method ontology for intelligent network forensics analysis , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[21]  David Sánchez,et al.  Ontology-based information content computation , 2011, Knowl. Based Syst..

[22]  M. Hanock,et al.  Online Intrusion Alert Aggregation with Generative Data Stream Modeling , 2013 .