Multi-paradigm frameworks for scalable intrusion detection

Research in network security and intrusion detection systems (IDSs) has typically focused on small or artificial data sets. Tools are developed that work well on these data sets but have trouble meeting the demands of real-world, large-scale network environments. In addressing this problem, improvements must be made to the foundations of intrusion detection systems, including data management, IDS accuracy and alert volume. We address data management of network security and intrusion detection information by presenting a database mediator system that provides single query access via a domain specific query language. Results are returned in the form of XML using web services, allowing analysts to access information from remote networks in a uniform manner. The system also provides scalable data capture of log data for multi-terabyte datasets. Next, we address IDS alert accuracy by building an agent-based framework that utilizes web services to make the system easy to deploy and capable of spanning network boundaries. Agents in the framework process IDS alerts managed by a central alert broker. The broker can define processing hierarchies by assigning dependencies on agents to achieve scalability. The framework can also be used for the task of event correlation, or gathering information relevant to an IDS alert. Lastly, we address alert volume by presenting an approach to alert correlation that is IDS independent. Using correlated events gathered in our agent framework, we build a feature vector for each IDS alert representing the network traffic profile of the internal host at the time of the alert. This feature vector is used as a statistical fingerprint in a clustering algorithm that groups related alerts. We analyze our results with a combination of domain expert evaluation and feature selection.

[1]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[2]  Qiang Liu,et al.  A novel clustering algorithm based on weighted support and its application , 2002, Proceedings. International Conference on Machine Learning and Cybernetics.

[3]  Jim Alves-Foss,et al.  NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach , 2001, NSPW '01.

[4]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[5]  Anup Ghosh,et al.  Simple, state-based approaches to program-based anomaly detection , 2002, TSEC.

[6]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[7]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[8]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[9]  Wenke Lee,et al.  A cooperative intrusion detection system for ad hoc networks , 2003, SASN '03.

[10]  Kymie M. C. Tan,et al.  Anomaly Detection in Embedded Systems , 2002, IEEE Trans. Computers.

[11]  M. Reilly,et al.  Open infrastructure for scalable intrusion detection , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).

[12]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Jim Alves-Foss,et al.  NATE: Network Analysis ofAnomalousTrafficEvents, a low-cost approach , 2001 .

[14]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[15]  Jun Zhang,et al.  MADIDS: a novel distributed IDS based on mobile agent , 2003, OPSR.

[16]  B. Tung The Common Intrusion Specification Language: a retrospective , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[17]  Glenn Fung,et al.  Proximal support vector machine classifiers , 2001, KDD '01.

[18]  George Varghese,et al.  On the difficulty of scalably detecting network attacks , 2004, CCS '04.

[19]  Mary Campione,et al.  The Java Tutorial Continued: The Rest of the JDK , 1998 .

[20]  Ashish Popli ACM computer and communication security conference , 2004, IEEE Security & Privacy Magazine.

[21]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[22]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[23]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[24]  Hugh G. Gauch,et al.  A Quantitative Evaluation of the Bray‐Curtis Ordination , 1973 .

[25]  W. Richard Stevens,et al.  UNIX network programming, 2nd Edition , 1998 .

[26]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[27]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[28]  Vasant Honavar,et al.  Intelligent agents for intrusion detection , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).

[29]  Jennifer Widom,et al.  Database Systems: The Complete Book , 2001 .

[30]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[31]  Stephanie Forrest,et al.  Principles of a computer immune system , 1998, NSPW '97.

[32]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[33]  Richard A. Kemmerer Designing and implementing a family of intrusion detection systems , 2005, ASE '05.

[34]  Noria Foukia IDReAM: intrusion detection and response executed with agent mobility architecture and implementation , 2005, AAMAS '05.

[35]  Jim Alves-Foss,et al.  An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events , 2002, NSPW '02.

[36]  Hu Mingzeng,et al.  A novel distributed intrusion detection model based on mobile agent , 2004, InfoSecu '04.

[37]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[38]  United Kingdom Parliament,et al.  Anti-Terrorism, Crime and Security Act 2001 , 2001, The United Kingdom's Legal Responses to Terrorism.

[39]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[40]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.

[41]  Salvatore J. Stolfo,et al.  Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[42]  Katia P. Sycara,et al.  Discovery of information sources across organizational boundaries , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[43]  Wenke Lee Applying data mining to intrusion detection: the quest for automation, efficiency, and credibility , 2002, SKDD.

[44]  Jun Lu,et al.  Data mining aided signature discovery in network-based intrusion detection system , 2002, OPSR.

[45]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[46]  Yuichi Nakamura,et al.  Building Web Services with Java: Making Sense of XML, SOAP, WSDL, and UDDI , 2001 .