New Multi-step Worm Attack Model

The traditional worms such as Blaster, Code Red, Slammer and Sasser, are still infecting vulnerable machines on the internet. They will remain as significant threats due to their fast spreading nature on the internet. Various traditional worms attack pattern has been analyzed from various logs at different OSI layers such as victim logs, attacker logs and IDS alert log. These worms attack pattern can be abstracted to form worms’ attack model which describes the process of worms’ infection. For the purpose of this paper, only Blaster variants were used during the experiment. This paper proposes a multi-step worm attack model which can be extended into research areas in alert correlation and computer forensic investigation

Alert Correlation through a Multi Components Architecture

Alert correlation is a process that analyzes the raw alerts produced by one or more intrusion detection systems, reduces nonrelevant ones, groups together alerts based on similarity and causality relationships between them and finally makes aconcise and meaningful view of occurring or attempted intrusions. Unfortunately, most correlation approaches use just a few components that aim only specific correlation issues and so cause reduction in correlation rate. This paper uses a general correlation model that has already been presented in [9] and is consisted of a comprehensive set of components. Then some changes are applied in the component that is related to multi-step attack scenario to detect them better and so to improve semantic level of alerts. The results of experiments with DARPA 2000 data set obviously show the effectiveness of the proposed approach.DOI:http://dx.doi.org/10.11591/ijece.v3i4.277

Scenario Based Worm Trace Pattern Identification Technique

The number of malware variants is growing tremendously and the study of malware attacks on the Internet is still a demanding research domain. In this research, various logs from different OSI layer are explore to identify the traces leave on the attacker and victim logs, and the attack worm trace pattern are establish in order to reveal true attacker or victim.For the purpose of this paper, it will only concentrate on cybercrime that caused by malware network intrusion and used the traditional worm namely blaster worm variants. This research creates the concept of trace pattern by fusing the attacker’s and victim’s perspective. Therefore, the objective of this paper is to propose on attacker’s, victim’s and multi-step(attacker/victim)’s trace patterns by combining both perspectives. These three proposed worm trace patterns can be extended into research areas in alert correlation and computer forensic investigation

Verifikasi Peringatan Berdasarkan Klasifikasi Serangan Pada Deteksi Intrusi Kolaboratif

Since long time ago, Intrusion detection system has been used to detect into the computer network or computer it self and to find attacks. Intrusion detection system detects the intrusions of the system according to the activities of the systems. Every activity that supposed as danger activities that is listed will be recorded to the database system of intrusion detection system. Practically, intrusion detection system sometimes detects that less accurate. Sometimes intrusion detection system detects undanger activities (false positive) or does not detect danger activities (false negative). Whenever amount of false positive alert is getting large, event if it becomes alert floods, it will make user complicated to analyze the attack. By using collaboration intrusion detection system then correlate the alerts, it will reduce weakness of intrusion detection system and generate better alert and more accurate. Keywords : Intrusion detection system, alert, false positive, alert correlation, alert collaboration

Enhanced Alert Correlation Framework for Heterogeneous Log

Management of intrusion alarms particularly in identifying malware attack is becoming more demanding due to large amount of alert produced by low-level detectors. Alert correlation can provide high-level view of intrusion alerts but incapable of handling large amount of alarm. This paper proposes an enhanced Alert Correlation Framework for sensors and heterogeneous log. It can reduce the large amount of false alarm and identify the perspective of the attack. This framework is mainly focusing on the alert correlation module which consists of Alarm Thread Reconstruction, Log Thread Reconstruction, Attack Session Reconstruction, Alarm Merging and Attack Pattern Identification module. It is evaluated using metric for effectiveness that shows high correlation rate, reduction rate, identification rate and low misclassification rate. Meanwhile in statistical validation it has highly significance result with p < 0.05. This enhanced Alert Correlation Framework can be extended into research areas in alert correlation and computer forensic investigation

Home-Based Intrusion Detection System

Wireless network security has an important role in our daily lives. It has received significant attention, although wireless communication is facing different security threats. Some security efforts have been applied to overcome wireless attacks. Unfortunately, complete attack prevention is not accurately achievable. Intrusion Detection System (IDS) is an additional field of computer security. It is concerned with software that can distinguish between legitimate users and malicious users of a computer system and make a controlled response when an attack is detected. The project proposed to develop IDS technology on the windows platform. The IDS adopted misuse detection, which is based on signature recognition. The main objective of this proposal is to detect any network vulnerabilities and threats that concern home-based attacks or intrusion. There are five steps in our methodology: The first step is to create awareness of the problem by understanding the purpose and scope of the learning, as well as the problem, which are necessary to be solved. The second step is to make suggestion that the intrusion detection system is protecting the network of the homes. The third step is to develop signature by establishing a set of rule thorough processes for testing IDS. The fourth step is evaluating and testing the system that has been developed. This design used the sensor to find and match activity signatures found in the checked environment to the known signatures in the signature database. Finally, the conclusion in this phase showed the results of the study and the achievement of the objectives of the study. This IDS project will contribute to the efforts to protect users from the internal and external intruders

Integration of PSO and K-means clustering algorithm for structural-based alert correlation model

Network-based Intrusion Detection Systems (NIDS) will trigger alerts as notifications of abnormal activities detected in computing and networking resources. As Distributed Denial-of-Service (DDOS) attacks are getting more sophisticated, each attack consists of a series of events which in turn trigger a series of alerts. However, the alerts are produced in a huge amount, of low quality and consist of repeated and false positive alerts. This requires clustering algorithm to effectively correlate the alerts for identifying each unique attack. Soft computing including bio-inspired algorithms are explored to optimally cluster the alerts. Therefore, this study investigates the effects of bio-inspired algorithm in alert correlation (AC) model. Particle Swarming Optimization (PSO) is integrated with K-Means clustering algorithm to conduct structural-based AC. It was tested on the benchmarked DARPA 2000 dataset. The efficiency of the AC model was evaluated using clustering accuracy, error rate and processing time measurements. Surprisingly, the experimental results show that K-Means algorithm works better than the integration of PSO and K-Means. K-Means gives 99.67% clustering accuracy while PSO and K-Means gives 92.71% clustering accuracy. This indicates that a single clustering algorithm is sufficient for optimal structural-based AC instead of integrated PSO and K-Means