Heterogeneous Fusion of IDS Alerts for Detecting DOS Attacks

Denial of Service (DOS) attacks is a situation in attacker tries to prevent the user of a particular service from using that service. Intrusion detection system is more efficient compared to firewalls in detecting DOS attack generated due to internal traffic. However, single IDS system usually fails in detecting novel attack and produces larger false alerts. This paper proposes a method for heterogeneous alert fusion for detection of DOS attacks. The proposed method shows increase in the detection rate of about 20% compared to signature based IDS and 10% compared to anomaly based IDS. On the other hand the False alarm rate reduces by 40%. Alert fusion results for two redundant IDS as well as two complementary IDS have been demonstrated.

[1]  Jie Yang,et al.  Sensor fusion using Dempster-Shafer theory [for context-aware HCI] , 2002, IMTC/2002. Proceedings of the 19th IEEE Instrumentation and Measurement Technology Conference (IEEE Cat. No.00CH37276).

[2]  Vishwas Sharma,et al.  Usefulness of DARPA dataset for intrusion detection system evaluation , 2008, SPIE Defense + Commercial Sensing.

[3]  Malcolm I. Heywood,et al.  Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 , 2005, PST.

[4]  George F. Riley,et al.  Intrusion detection testing and benchmarking methodologies , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[5]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[6]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[7]  Habiba Drias,et al.  An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge , 2012, Applied Intelligence.

[8]  Audun Jøsang Probabilistic Logic under Uncertainty , 2007, CATS.

[9]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[10]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[11]  Audun Jøsang,et al.  The consensus operator for combining beliefs , 2002, Artif. Intell..

[12]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[13]  P. Smets,et al.  Assessing sensor reliability for multisensor data fusion within the transferable belief model , 2004, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).