Alert Correlation Technique Analysis For Diverse Log

Alert correlation is a process that analyses the alerts produced by one or more diverse devices and provides a more succinct and high-level view of occurring or attempted intrusions. The objective of this study is to analyse the current alert correlation technique and identify the significant criteria in each technique that can improve the Intrusion Detection System IDS) problem such as prone to alert flooding, contextual problem, false alert and scalability. The existing alert correlation techniques had been reviewed and analysed. From the analysis, six capability criteria have been identified to improve the current alert correlation techniques which are capability to do alert reduction, alert clustering, identify multi-step attack,reduce false alert, detect known attack and detect unknown attack and technique’s combination is proposed

Enhanced Alert Correlation Framework for Heterogeneous Log

Management of intrusion alarms particularly in identifying malware attack is becoming more demanding due to large amount of alert produced by low-level detectors. Alert correlation can provide high-level view of intrusion alerts but incapable of handling large amount of alarm. This paper proposes an enhanced Alert Correlation Framework for sensors and heterogeneous log. It can reduce the large amount of false alarm and identify the perspective of the attack. This framework is mainly focusing on the alert correlation module which consists of Alarm Thread Reconstruction, Log Thread Reconstruction, Attack Session Reconstruction, Alarm Merging and Attack Pattern Identification module. It is evaluated using metric for effectiveness that shows high correlation rate, reduction rate, identification rate and low misclassification rate. Meanwhile in statistical validation it has highly significance result with p < 0.05. This enhanced Alert Correlation Framework can be extended into research areas in alert correlation and computer forensic investigation

Threshold Verification Technique for Network Intrusion Detection System

Internet has played a vital role in this modern world, the possibilities and opportunities offered are limitless. Despite all the hype, Internet services are liable to intrusion attack that could tamper the confidentiality and integrity of important information. An attack started with gathering the information of the attack target, this gathering of information activity can be done as either fast or slow attack. The defensive measure network administrator can take to overcome this liability is by introducing Intrusion Detection Systems (IDSs) in their network. IDS have the capabilities to analyze the network traffic and recognize incoming and on-going intrusion. Unfortunately the combination of both modules in real time network traffic slowed down the detection process. In real time network, early detection of fast attack can prevent any further attack and reduce the unauthorized access on the targeted machine. The suitable set of feature selection and the correct threshold value, add an extra advantage for IDS to detect anomalies in the network. Therefore this paper discusses a new technique for selecting static threshold value from a minimum standard features in detecting fast attack from the victim perspective. In order to increase the confidence of the threshold value the result is verified using Statistical Process Control (SPC). The implementation of this approach shows that the threshold selected is suitable for identifying the fast attack in real tim

New Multi-step Worm Attack Model

The traditional worms such as Blaster, Code Red, Slammer and Sasser, are still infecting vulnerable machines on the internet. They will remain as significant threats due to their fast spreading nature on the internet. Various traditional worms attack pattern has been analyzed from various logs at different OSI layers such as victim logs, attacker logs and IDS alert log. These worms attack pattern can be abstracted to form worms’ attack model which describes the process of worms’ infection. For the purpose of this paper, only Blaster variants were used during the experiment. This paper proposes a multi-step worm attack model which can be extended into research areas in alert correlation and computer forensic investigation

A New Generic Taxonomy on Hybrid Malware Detection Technique

Malware is a type of malicious program that replicate from host machine and propagate through network. It has been considered as one type of computer attack and intrusion that can do a variety of malicious activity on a computer. This paper addresses the current trend of malware detection techniques and identifies the significant criteria in each technique to improve malware detection in Intrusion Detection System (IDS). Several existing techniques are analyzing from 48 various researches and the capability criteria of malware detection technique have been reviewed. From the analysis, a new generic taxonomy of malware detection technique have been proposed named Hybrid-Malware Detection Technique (Hybrid-MDT) which consists of Hybrid- Signature and Anomaly detection technique and Hybrid-Specification based and Anomaly detection technique to complement the weaknesses of the existing malware detection technique in detecting known and unknown attack as well as reducing false alert before and during the intrusion occur

Adapting Traceability in Digital Forensic Investigation Process

Generally, the goals of digital forensic investigation process in a cyber crime are to identify the origin of the incident reported as well as maintaining the chain of custody so that the legal process can take its option. However, the traceability process has become a key or an important element of the digital investigation process, as it is capable to map the events of an incident from different sources in obtaining evidence of an incident to be used for other auxiliary investigation aspects. Hence, this paper introduces the adaptability of the traceability model to illustrate the relationship in the digital forensic investigation process by integrating the traceability features. The objective of this integration is to provide the capability of trace and map the evidence to the sources and shows the link between the evidence, the entities and the sources involved in the process. Additionally, the proposed model is expected to help the forensic investigator in obtaining accurate and complete evidence that can be further used in a court of law

Forensic Traceability Index in Digital Forensic Investigation

Digital crime inflicts immense damage to users and systems and now it has reached a level of sophistication that makes it difficult to track its sources or origins especially with the advancements in modern computers, networks and the availability of diverse digital devices. Forensic has an important role to facilitate investigations of illegal activities and inappropriate behaviors using scientific methodologies, techniques and investigation frameworks. Digital forensic is developed to investigate any digital devices in the detection of crime. This paper emphasized on the research of traceability aspects in digital forensic investigation process. This includes discovering of complex and huge volume of evidence and connecting meaningful relationships between them. The aim of this paper is to derive a traceability index as a useful indicator in measuring the accuracy and completeness of discovering the evidence. This index is demonstrated through a model (TraceMap) to facilitate the investigator in tracing and mapping the evidence in order to identify the origin of the crime or incident. In this paper, tracing rate, mapping rate and offender identification rate are used to present the level of tracing ability, mapping ability and identifying the offender ability respectively. This research has a high potential of being expanded into other research areas such as in digital evidence presentation

Scenario Based Worm Trace Pattern Identification Technique

The number of malware variants is growing tremendously and the study of malware attacks on the Internet is still a demanding research domain. In this research, various logs from different OSI layer are explore to identify the traces leave on the attacker and victim logs, and the attack worm trace pattern are establish in order to reveal true attacker or victim.For the purpose of this paper, it will only concentrate on cybercrime that caused by malware network intrusion and used the traditional worm namely blaster worm variants. This research creates the concept of trace pattern by fusing the attacker’s and victim’s perspective. Therefore, the objective of this paper is to propose on attacker’s, victim’s and multi-step(attacker/victim)’s trace patterns by combining both perspectives. These three proposed worm trace patterns can be extended into research areas in alert correlation and computer forensic investigation

Time Based Intrusion Detection on Fast Attack for Network Intrusion Detection System

In recent years network attack are easily launch since the tools to execute the attack are freely available on the Internet. Even the script kiddies can initiate a sophisticated attack with just a basic knowledge on network and software technology. To overcome this matter, Intrusion Detection System (IDS) has been used as a vital instrument in defending the network from this malicious activity. With the ability to analyze network traffic and recognize incoming and ongoing network attack, majority of network administrator has turn to IDS to help them in detecting anomalies in network traffic. The gathering of information and analysis on the anomalies activity can be classified into fast and slow attack. Since fast attack activity make a connection in few second and uses a large amount of packet, detecting this early connection provide the administrator one step ahead in deflecting further damages towards the network infrastructure. This paper describes IDS that detects fast attack intrusion using time based detection method. The time based detection method calculates the statistic of the frequency event which occurs between one second time intervals for each connection made to a host thus providing the crucial information in detecting fast attack

Tracing Technique for Blaster Attack

Blaster worm of 2003 is still persistent, the infection appears to have successfully transitioned to new hosts as the original systems are cleaned or shut off, suggesting that the Blaster worm, and other similar worms, will remain significant Internet threats for many years after their initial release. This paper is to propose technique on tracing the Blaster attack from various logs in different OSI layers based on fingerprint of Blaster attack on victim logs, attacker logs and IDS alert log. The researchers intended to do a preliminary investigation upon this particular attack so that it can be used for further research in alert correlation and computer forensic investigation