A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment

The need for higher-level reasoning capabilities beyond low-level sensor abilities has prompted researchers to use different types of sensor fusion techniques for better situational awareness in the intrusion detection environment. These techniques primarily vary in terms of their mission objectives. Some prioritize alerts for alert reduction, some cluster alerts to identify common attack patterns, and some correlate alerts to identify multi-staged attacks. Each of these tasks has its own merits. Unlike previous efforts in this area, this dissertation combines the primary tasks of sensor alert fusion, i.e., alert prioritization, alert clustering and alert correlation into a single framework such that individual results are used to quantify a confidence score as an overall assessment for global diagnosis of a system's security health. Such a framework is especially useful in a multi-sensor environment where the sensors can collaborate with or complement each other to provide increased reliability, making it essential that the outputs of the sensors are fused in an effective manner in order to provide an improved understanding of the security status of the protected resources in the distributed environment. This dissertation uses a possibilistic approach in intelligent fusion of sensor alerts with Fuzzy Cognitive Modeling in order to accommodate the impreciseness and vagueness in knowledge-based reasoning. We show that our unified architecture for sensor fusion provides better insight into the security health of systems. A new multilevel alert clustering method is developed to accommodate inexact matching in alert features and is shown to provide relevance to more alerts than traditional exact clustering. Alert correlation with a new abstract incident modeling technique is shown to deal with scalability and uncertainty issues present in traditional alert correlation. New concepts of dynamic fusion are presented for overall situation assessment, which (a) in case of misuse sensors, combines results of alert clustering and alert correlation, and (b) in case of anomaly sensors, corroborates evidence from primary and secondary sensors for deriving the final conclusion on the systems' security health.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  C.E. Pelaez,et al.  Applying fuzzy cognitive-maps knowledge-representation to failure modes effects analysis , 1995, Annual Reliability and Maintainability Symposium 1995 Proceedings.

[3]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[4]  David E. Culler,et al.  The ganglia distributed monitoring system: design, implementation, and experience , 2004, Parallel Comput..

[5]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[6]  Takashi Okuda,et al.  Computational intelligence for distributed fault management in networks using fuzzy cognitive maps , 1996, Proceedings of ICC/SUPERCOMM '96 - International Conference on Communications.

[7]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[8]  Rayford B. Vaughn,et al.  Decision Making For Network Health Assessment In An Intelligent Intrusion Detection System Architecture , 2004, Int. J. Inf. Technol. Decis. Mak..

[9]  Dan Andersson,et al.  Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis , 2001 .

[10]  Peng Ning,et al.  Correlating Alerts Using Prerequisites of Intrusions , 2001 .

[11]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[12]  Vasant Dhar,et al.  Seven Methods for Transforming Corporate Data Into Business Intelligence , 1996 .

[13]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[14]  Rayford B. Vaughn,et al.  Techniques Applied to High Performance Computing Intrusion Detection , 2002 .

[15]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[16]  Zhen Liu,et al.  Attacking a High Performance Computer Cluster , 2004 .

[17]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[18]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[19]  George Karypis,et al.  A Comparison of Document Clustering Techniques , 2000 .

[20]  Bart Kosko,et al.  Fuzzy Cognitive Maps , 1986, Int. J. Man Mach. Stud..

[21]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  Zhen Liu,et al.  Combining static analysis and dynamic learning to build accurate intrusion detection models , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[23]  Yiquan Hu,et al.  TIAA: A Toolkit for Intrusion Alert Analysis , 2004 .

[24]  Chrysostomos D. Stylios,et al.  A Soft Computing Approach for Modelling the Supervisor of Manufacturing Systems , 1999, J. Intell. Robotic Syst..

[25]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[26]  Stephen Taylor,et al.  Validation of Sensor Alert Correlators , 2003, IEEE Secur. Priv..

[27]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[28]  Shambhu J. Upadhyaya,et al.  An alert fusion framework for situation awareness of coordinated multistage attacks , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[29]  Jan H. P. Eloff,et al.  Cognitive Fuzzy Modeling for Enhanced Risk Assessment in a Health Care Institution , 2000, IEEE Intell. Syst..

[30]  Deborah A. Frincke,et al.  A Novel Framework for Alert Correlation and Understanding , 2004, ACNS.

[31]  Nong Ye,et al.  Information fusion for intrusion detection , 2000, Proceedings of the Third International Conference on Information Fusion.

[32]  Rod Taber,et al.  Knowledge processing with Fuzzy Cognitive Maps , 1991 .

[33]  Julie A. Dickerson,et al.  Fuzzy feature extraction and visualization for intrusion detection , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[34]  Alfonso Valdes,et al.  An Approach to Sensor Correlation , 2000 .

[35]  Zhen Liu,et al.  Lightweight monitoring of MPI programs in real time , 2005, Concurr. Comput. Pract. Exp..

[36]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[37]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[38]  Nong Ye,et al.  Information fusion techniques for network intrusion detection , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).

[39]  Rayford B. Vaughn,et al.  Intrusion sensor data fusion in an intelligent intrusion detection system architecture , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[40]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[41]  Rayford B. Vaughn,et al.  Fuzzy cognitive maps for decision support in an intelligent intrusion detection system , 2001, Proceedings Joint 9th IFSA World Congress and 20th NAFIPS International Conference (Cat. No. 01TH8569).

[42]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[43]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .