CFP last date
20 December 2024
Reseach Article

Collection Mechanism and Reduction of IDS Alert

by Karim Hashim Al-saedi, Sureswaran Ramadass, Ammar Almomani, Selvakumar Manickam, Wafaa A. H. Ali Alsalihy
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 58 - Number 4
Year of Publication: 2012
Authors: Karim Hashim Al-saedi, Sureswaran Ramadass, Ammar Almomani, Selvakumar Manickam, Wafaa A. H. Ali Alsalihy
10.5120/9274-3530

Karim Hashim Al-saedi, Sureswaran Ramadass, Ammar Almomani, Selvakumar Manickam, Wafaa A. H. Ali Alsalihy . Collection Mechanism and Reduction of IDS Alert. International Journal of Computer Applications. 58, 4 ( November 2012), 40-48. DOI=10.5120/9274-3530

@article{ 10.5120/9274-3530,
author = { Karim Hashim Al-saedi, Sureswaran Ramadass, Ammar Almomani, Selvakumar Manickam, Wafaa A. H. Ali Alsalihy },
title = { Collection Mechanism and Reduction of IDS Alert },
journal = { International Journal of Computer Applications },
issue_date = { November 2012 },
volume = { 58 },
number = { 4 },
month = { November },
year = { 2012 },
issn = { 0975-8887 },
pages = { 40-48 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume58/number4/9274-3530/ },
doi = { 10.5120/9274-3530 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T21:01:38.697480+05:30
%A Karim Hashim Al-saedi
%A Sureswaran Ramadass
%A Ammar Almomani
%A Selvakumar Manickam
%A Wafaa A. H. Ali Alsalihy
%T Collection Mechanism and Reduction of IDS Alert
%J International Journal of Computer Applications
%@ 0975-8887
%V 58
%N 4
%P 40-48
%D 2012
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Numerous techniques and approaches are used to address the threats that are faced by computer networks today's. Some of these reactive approaches involve Intrusion Detection System (IDS), malware data mining and network monitoring. Numerous false positive alerts are generated by the IDS, contributing negatively to system complexity and performance. In this paper, we present a new framework called collection mechanism and reduction of IDS alert framework (CMRAF) to remove duplicate IDS alerts and reduce the amount of false alerts. CMRAF is based on two models. The first model develops a mechanism to save IDS alerts, extract the standard features as intrusion detection message exchange format, and save them in DB file (CSV-type). The second model consists of three phases. The first phase removes redundant alerts, the second phase reduces false alerts based on threshold time value, and the last phase reduces false alerts based on rules with threshold common vulnerabilities and exposure value. We applied CMRAF on two environments: the Darpa 1999 and the NAv6 network center data sets. The result obtained from the experiment on Darpa 1999 data set recorded an 92% alert reduction rate, whereas that on the NAv6 data set recorded an 84% alert reduction rate. From the results, CMRAF was able to scale back a massive quantity of redundant alerts and effectively reduces false alerts.

References
  1. Fredrik Valeur Vigna, G. ; Kruegel, C. ; Kemmerer, R. A. ; "Comprehensive approach to intrusion detection alert correlation", Dependable and Secure Computing, IEEE Transactions on, Sept. 2004, Volume: 1 , Issue: 3 Page(s): 146 – 169, DOI: 10. 1109/TDSC. 2004. 21
  2. Federico Maggi, Matteo Matteucci, and Stefano Zanero. "Reducing false positives in anomaly detectors through fuzzy alert aggregation", Elsevier, Information Fusion 10 (2009) 300-311. doi:10. 1016/j. inffus. 2009. 01. 004
  3. Elshoush and Osman, 2011, "Alert correlation in collaborative intelligent intrusion detection systems - A survey", (2011) Applied Soft Computing Journal, 11 (7), pp. 4349-4365. doi: 10. 1016/j. asoc. 2010. 12. 004
  4. Spathoulas, G. and Katsikas, S. (2010). Reducing False Positives in Intrusion Detection Systems, Computers & Security, 29, pp. 35–44. (Cited on pages 22, 34, 57 and 73. )
  5. Alharby, H. Imai, (2005). "IDS False Alarm Reduction Using Continuous and Discontinuous Patterns". Proceedings of ACNS 2005, Springer, Heidelberg, pp. 192-205.
  6. Viinikka, J. , Debar, H. , M´e, L. , Lehikoinen, A. , and Tarvainen, M. (2009). Processing intrusion detection alert aggregates with time series modeling. Information Fusion, 10, pp. 312–324.
  7. Jan, N. , Shun-Chieh, L. , Shian-Shyong, T. , Nancy P. , and Lin, A. (2009). Decision support system for constructing an alert classification model, Expert Systems with Applications, 36, pp. 11145-11155.
  8. Autrel, F. and Cuppens. (2005). Using an intrusion detection alert similarity operator to aggregate and fuse alerts. the 4th Conference on Security and Network Architecture Bat sur Mer, France.
  9. Al-Mamory, S. O. and Zhang, H. (2009). Intrusion detection alarms reduction using root cause analysis and clustering, Computer Communications, 32 , pp. 419-430.
  10. Julisch, K. (2003). "Using root cause analysis to handle intrusion detection alarms", PhD dissertation, University of Dortmund.
  11. Niogu and Jiawei, 2010, H. W. Njogu, L. Jiawei, "Using alert cluster to reduce IDS alerts", The third IEEE International Conference on Computer Science and Information Technology,China,9-11 July,2010, pp. 467-471. DOI : 10. 1109/ICCSIT. 2010. 5563925.
  12. Qin and Lee, 2005 Wenke Lee and Xinzhou Qin, "Statistical Causality Analysis of Infosec Alert Data" Massive Computing, 2005, Volume 5, Part II, 101-127, DOI: 10. 1007/0-387-24230-9_4
  13. Ignacio Porres Ruiz and María del Mar Fernández de Ramón, "An Evaluation of current IDS", Master thesis in Information Coding, Department of Electrical Engineering, at Linköping Institute of Technology, Sweden, 2008
  14. Techtarget, 2011, http: // searchfinancialsecurity. techtarget. com / definition/ Common-Vulnerabilities-and-Exposures
  15. Mitre, 2012, http://cve. mitre. org/about/
  16. Hoang, X. D. , Hu, J. , Bertok, P. (2009). A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. Journal of Network and Computer Applications, 32, pp. 1219-1228.
  17. Pietro, R. D. , Mancini, L. V. (2008) "Intrusion detection systems " Handbook of Advances in Information Security S. Jajodia (Series editor) Springer ISBN 978-0-387-77265-3, e-ISBN: 978-0-387-77266-0. Volume 38, 65-92, DOI: 10. 1007/978-0-387-77265-3_4
  18. Xu, D. , Ning, P. "Correlation analysis of intrusion alerts", (2008) Intrusion Detection Systems, Advances in Information Security, 38, pp. 65-92. R. Di Pietro, L. V. Mancini (Eds. ) Springer ISBN 978-0-387-77265-3. DOI :10. 1007/978-0-387-77265-3_4
  19. Perdisci, R. , Giacinto, G. , Roli, F. (2006),"Alarm clustering for intrusion detection systems in computer networks", (2006) Engineering Applications of Artificial Intelligence, 19 (4), pp. 429-438. Doi: 10. 1016/j. engappai. 2006. 01. 003
  20. Yatagai, T. , Keio, U. , Yokohama, I. T. , and Sasase, I. (2007). Detection of http-get flood attack based on analaysis of page access behavior. Proc. PACRIM 07, pp. 232-235. doi: 10. 1109/PACRIM. 2007. 4313218.
  21. Wei-Zhou, L. and Shun-Zheng, Y. (2006). An HTTP flooding detection method based on browser behavior. Proc. of 2006 International Conference on Computational Intelligence and Security, Guangzhou, 2, pp. 1151–1154.
  22. Tjhai G. C. (2011). "Anomaly-Based Correlation Of Ids Alarms", PhD thesis, The University of Plymouth, UK.
  23. CVE Details, 2012, http://www. cvedetails. com/index. php.
  24. DARPA 1999 dataset https://www. ll. mit. edu/mission/communications/ist/corpora/ideval/data/1999data. html
  25. Pietraszek. (2006). Alert classification to reduce false positives in intrusion detection, Ph. D. dissertation, Institut für Informatik, Albert-Ludwigs-Universität Freiburg, Germany.
  26. Jie Ma, Zhi-tang L. , and Hong-wu Zhang (2009). "An Fusion Model for Network Threat Identification and Risk Assessment". Artificial Intelligence and Computational Intelligence, AICI'09. International Conference, pp. 314-318. DOI 10. 1109/AICI. 2009. 487.
Index Terms

Computer Science
Information Sciences

Keywords

False positive Reduction alert Network security IDS Aggregation alert