Applying multi-correlation for improving forecasting in cyber security

Currently, defense of the cyber space is mostly based on detection and/or blocking of attacks (Intrusion Detection and Prevention System — IDPS). But, a significant improvement for IDPS is the employment of forecasting techniques in a Distributed Intrusion Forecasting System (DIFS), which enables the capability for predicting attacks. Notwithstanding, during our earlier works, one of the issues we have faced was the huge amount of alerts produced by IDPS, several of them were false positives. Checking the veracity of alerts through other sources (multi-correlation), e.g. logs taken from the operating system (OS), is a way of reducing the number of false alerts, and, therefore, improving data (historical series) to be used by the DIFS. The goal of this paper is to propose a two stage system which allows: (1) employment of an Event Analysis System (EAS) for making multi-correlation between alerts from an IDPS with the OS' logs; and (2) applying forecasting techniques on data generated by the EAS. Tests applied on laboratory by the use of the two stage system allow concluding about the improvement of the historical series reliability, and the consequent improvement of the forecasts accuracy.

[1]  T. Bleier,et al.  Earthquake [earthquake warning systems] , 2005, IEEE Spectrum.

[2]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[3]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[4]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[5]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[6]  T. Sogorb,et al.  Ultra Low Power Wireless Weather Station , 2007, 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007).

[7]  Zhou Zhiping,et al.  The Study of Intrusion Prediction Based on HsMM , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[8]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[9]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[10]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[11]  Elvis Pontes,et al.  IFS — Intrusion forecasting system based on collaborative architecture , 2009, 2009 Fourth International Conference on Digital Information Management.

[12]  Richard L. Hudson,et al.  The Misbehavior of Markets: A Fractal View of Risk, Ruin, and Reward , 2004 .

[13]  A. J. Frost,et al.  Elliott Wave Principle , 1985 .

[14]  Rubo Zhang,et al.  A new intrusion detection method based on behavioral model , 2004, Fifth World Congress on Intelligent Control and Automation (IEEE Cat. No.04EX788).

[15]  P. Cisar,et al.  EWMA Statistic in Adaptive Threshold Algorithm , 2007, 2007 11th International Conference on Intelligent Engineering Systems.

[16]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[17]  M.B. Ahmed,et al.  DIDFAST.BN: Distributed Intrusion Detection And Forecasting Multiagent System using Bayesian Network , 2006, 2006 2nd International Conference on Information & Communication Technologies.

[18]  Edward N. Lorenz,et al.  Designing Chaotic Models , 2005 .

[20]  Peng Ning,et al.  Integrating IDS Alert Correlation and OS-Level Dependency Tracking , 2006, ISI.

[21]  Cristina L. Abad,et al.  Log correlation for intrusion detection: a proof of concept , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[22]  Cao Lai-Cheng,et al.  A High-Efficiency Intrusion Prediction Technology Based on Markov Chain , 2007, 2007 International Conference on Computational Intelligence and Security Workshops (CISW 2007).

[23]  Elvis Pontes,et al.  IDS 3G — Third generation for intrusion detection: Applying forecasts and return on security investment to cope with unwanted traffic , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[24]  Herbert Kimura,et al.  Reseña de "THE (MIS)BEHAVIOR OF MARKETS: A FRACTAL VIEW OF RISK, RUIN, AND REWARD" de Bernoit B. Mandelbrot y Richard L. Hudson , 2005 .

[25]  Arputharaj Kannan,et al.  Quickprop Neural Network Short-Term Forecasting Framework for a Database Intrusion Prediction System , 2004, ICAISC.

[26]  I. Sasase,et al.  Forecast techniques for predicting increase or decrease of attacks using Bayesian inference , 2005, PACRIM. 2005 IEEE Pacific Rim Conference on Communications, Computers and signal Processing, 2005..

[27]  Elvis Pontes,et al.  Fibonacci sequence and EWMA for intrusion forecasting system , 2010, 2010 Fifth International Conference on Digital Information Management (ICDIM).

[28]  Anup Kumar,et al.  Predictive security model using data mining , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[29]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[30]  Fumio Mizoguchi,et al.  Anomaly detection using visualization and machine learning , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[31]  Tadeusz Pietraszek,et al.  Data mining and machine learning - Towards reducing false positives in intrusion detection , 2005, Inf. Secur. Tech. Rep..

[32]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[33]  Peng Ning,et al.  An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[34]  Fang-Yie Leu,et al.  IFTS: intrusion forecast and traceback based on union defense environment , 2005, 11th International Conference on Parallel and Distributed Systems (ICPADS'05).

[35]  E. Pontes,et al.  Forecasting for Return on Security Information Investment: New Approach on Trends in Intrusion Detection and Unwanted Internet Traffic , 2009, IEEE Latin America Transactions.

[36]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[37]  Xiangliang Zhang,et al.  Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data , 2006, Comput. Secur..

[38]  Dongho Won,et al.  Design of an On-Line Intrusion Forecast System with a Weather Forecasting Model , 2006, ICCSA.

[39]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[40]  A. Kannan,et al.  A Neuro-genetic ensemble Short Term Forecasting Framework for Anomaly Intrusion Prediction , 2006, 2006 International Conference on Advanced Computing and Communications.

[41]  Peng Ning,et al.  Reasoning about complementary intrusion evidence , 2004, 20th Annual Computer Security Applications Conference.