Alert Correlation through a Multi Components Architecture

Alert correlation is a process that analyzes the raw alerts produced by one or more intrusion detection systems, reduces nonrelevant ones, groups together alerts based on similarity and causality relationships between them and finally makes aconcise and meaningful view of occurring or attempted intrusions. Unfortunately, most correlation approaches use just a few components that aim only specific correlation issues and so cause reduction in correlation rate. This paper uses a general correlation model that has already been presented in [9] and is consisted of a comprehensive set of components. Then some changes are applied in the component that is related to multi-step attack scenario to detect them better and so to improve semantic level of alerts. The results of experiments with DARPA 2000 data set obviously show the effectiveness of the proposed approach.DOI:http://dx.doi.org/10.11591/ijece.v3i4.277

Miner Alerts Module To Generate Itemsets Based On FP-Growth Algorithm Improvement

Data mining techniques becomes very useful for all areas, Which gives impressive results and accurate. It is can be works with huge data and variance types data. The intrusion detection system (IDS) has huge numbers of alerts without classify and almost alerts be false positive. In this paper, we proposed a new miner module to generating Itemsets of IDS alerts by using FP-Growth Algorithm Improvement, which it is produce from compact Fp growth algorithm with Apriori algorithm. This a new module contains three phases; Compute support, Resort, and Generating K-Itemsets. Its applies on Darpa 1999 datasets to generating Alerts sets based on IDS Snort. The obtain result was very useful because it is make the alerts ready to classify

Access Control from an Intrusion Detection Perspective

Access control and intrusion detection are essential components for securing an organization's information assets. In practice, these components are used in isolation, while their fusion would contribute to increase the range and accuracy of both. One approach to accomplish this fusion is the combination of their security policies. This report pursues this approach by defining a comparison framework for policy specification languages and using this to survey the languages Ponder, LGI, SPL and PDL from the perspective of intrusion detection. We identified that, even if an access control language has the necessary ingredients for merging policies, it might not be appropriate due to mismatches in overlapping concepts

Design of an evolutionary approach for intrusion detection,”

A novel evolutionary approach is proposed for effective intrusion detection based on benchmark datasets. The proposed approach can generate a pool of noninferior individual solutions and ensemble solutions thereof. The generated ensembles can be used to detect the intrusions accurately. For intrusion detection problem, the proposed approach could consider conflicting objectives simultaneously like detection rate of each attack class, error rate, accuracy, diversity, and so forth. The proposed approach can generate a pool of noninferior solutions and ensembles thereof having optimized trade-offs values of multiple conflicting objectives. In this paper, a three-phase, approach is proposed to generate solutions to a simple chromosome design in the first phase. In the first phase, a Pareto front of noninferior individual solutions is approximated. In the second phase of the proposed approach, the entire solution set is further refined to determine effective ensemble solutions considering solution interaction. In this phase, another improved Pareto front of ensemble solutions over that of individual solutions is approximated. The ensemble solutions in improved Pareto front reported improved detection results based on benchmark datasets for intrusion detection. In the third phase, a combination method like majority voting method is used to fuse the predictions of individual solutions for determining prediction of ensemble solution. Benchmark datasets, namely, KDD cup 1999 and ISCX 2012 dataset, are used to demonstrate and validate the performance of the proposed approach for intrusion detection. The proposed approach can discover individual solutions and ensemble solutions thereof with a good support and a detection rate from benchmark datasets (in comparison with well-known ensemble methods like bagging and boosting). In addition, the proposed approach is a generalized classification approach that is applicable to the problem of any field having multiple conflicting objectives, and a dataset can be represented in the form of labelled instances in terms of its features

Design of an Evolutionary Approach for Intrusion Detection

A novel evolutionary approach is proposed for effective intrusion detection based on benchmark datasets. The proposed approach can generate a pool of noninferior individual solutions and ensemble solutions thereof. The generated ensembles can be used to detect the intrusions accurately. For intrusion detection problem, the proposed approach could consider conflicting objectives simultaneously like detection rate of each attack class, error rate, accuracy, diversity, and so forth. The proposed approach can generate a pool of noninferior solutions and ensembles thereof having optimized trade-offs values of multiple conflicting objectives. In this paper, a three-phase, approach is proposed to generate solutions to a simple chromosome design in the first phase. In the first phase, a Pareto front of noninferior individual solutions is approximated. In the second phase of the proposed approach, the entire solution set is further refined to determine effective ensemble solutions considering solution interaction. In this phase, another improved Pareto front of ensemble solutions over that of individual solutions is approximated. The ensemble solutions in improved Pareto front reported improved detection results based on benchmark datasets for intrusion detection. In the third phase, a combination method like majority voting method is used to fuse the predictions of individual solutions for determining prediction of ensemble solution. Benchmark datasets, namely, KDD cup 1999 and ISCX 2012 dataset, are used to demonstrate and validate the performance of the proposed approach for intrusion detection. The proposed approach can discover individual solutions and ensemble solutions thereof with a good support and a detection rate from benchmark datasets (in comparison with well-known ensemble methods like bagging and boosting). In addition, the proposed approach is a generalized classification approach that is applicable to the problem of any field having multiple conflicting objectives, and a dataset can be represented in the form of labelled instances in terms of its features

Inferring the source and destination of the anomalous traffic in networks using spatio-temporal correlation

Orientadores: Leonardo de Souza Mendes, Mario Lemes Proença JuniorDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Estratégias voltadas para a detecção de anomalias em redes de computadores emitem alarmes como forma de notificação ao administrador de rede. Esses alarmes são essenciais para a gerencia de rede, pois são evidencias de uma anormalidade. Entretanto, uma única anomalia pode gerar um numero excessivo de alarmes, tornando a inspeção manual inviável. Nesta dissertação, e apresentado um sistema de correlação de alarmes automatizado, divido em três camadas, que obtém os alarmes primitivos e apresenta ao administrador de rede uma visão global do cenário afetado pela anomalia. A camada de pré-processamento faz a compressão dos alarmes utilizando seus atributos espaciais e temporais, os quais são reduzidos a um único alarme denominado DLA (Alarme em Nível de Equipamento). A camada de correlação busca, através dos DLAs e de informações sobre a topologia da rede, inferir o caminho de propagação da anomalia, sua origem e destino. A camada de apresentação prove a visualização do caminho e elementos de redes afetados pela propagação da anomalia. O sistema apresentado nesta dissertação foi aplicado em diversos cenários que apresentavam anomalias reais detectadas na rede da Universidade Estadual de Londrina. Foi demonstrada sua capacidade de identificar, de forma automatizada, o caminho de propagação do trafego anômalo, proporcionando informações úteis e corretas ao administrador de rede para o diagnostico do problemaAbstract: Anomaly detection systems for computer networks send alarms in order to notify the network administrator. These alarms are essential for network management because they are evidences of an abnormality. However, a single anomaly may generate an excessive volume of alarms, making the manual inspection unfeasible. In this work, it is presented an automated alarm correlation system divided into three layers, which obtains raw alarms and presents to network administrator a global view of the scenario affected by the anomaly. In the preprocessing layer, it is performed the alarm compression using their spatial and temporal attributes, which are reduced to a unique alarm named DLA (Device Level Alarm). The correlation layer aims to infer the anomaly propagation path and its origin and destination using DLAs and network topology information. The presentation layer provides the visualization of the path and network elements affected by the anomaly propagation through the network. The presented system was applied in various scenarios that had real anomalies detected on the State University of Londrina network. It demonstrated its ability to identify in an automated manner the anomalous traffic propagation path, providing useful and accurate information to the network administrator to diagnose the problemMestradoTelecomunicações e TelemáticaMestre em Engenharia Elétric