Processing intrusion detection alert aggregates with time series modeling

Authors:
Jouni Viinikka;Hervé Debar;Ludovic Mé;Anssi Lehikoinen;Mika Tarvainen
Affiliations:
France Telecom, BP 6243, FR-14066 Caen Cedex, France;France Telecom, BP 6243, FR-14066 Caen Cedex, France;Supélec, BP 81127, FR-35511 Cesson Sévigné Cedex, France;University of Kuopio, P.O. Box 1627, FIN-70211 Kuopio, Finland;University of Kuopio, P.O. Box 1627, FIN-70211 Kuopio, Finland
Venue:
Information Fusion
Year:
2009

Citing 17
Cited 8

A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Time Series Analysis: Forecasting and Control

Time Series Analysis: Forecasting and Control
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection

RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Mining Alarm Clusters to Improve Alarm Handling Efficiency

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
The monitoring and early detection of internet worms

IEEE/ACM Transactions on Networking (TON)
Traffic matrix tracking using Kalman filters

ACM SIGMETRICS Performance Evaluation Review - Special issue on the First ACM SIGMETRICS Workshop on Large Scale Network Inference (LSNI 2005)
Time series modeling for IDS alert management

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Proceedings of the 5th international conference on Recent advances in intrusion detection

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

IEEE Transactions on Signal Processing

Automating the Analysis of Honeypot Data (Extended Abstract)

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Real-time classification of IDS alerts with data mining techniques

MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
An online adaptive approach to alert correlation

DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions

International Journal of Communication Systems
Multi-layer episode filtering for the multi-step attack detection

Computer Communications
CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion

Concurrency and Computation: Practice & Experience
Alert correlation using artificial immune recognition system

International Journal of Bio-Inspired Computation
Real-time detection of application-layer DDoS attack using time series analysis

Journal of Control Science and Engineering - Special issue on Advances in Methods for Networked and Cyber-Physical System

Quantified Score

Hi-index	0.00

Visualization

Abstract

The main use of intrusion detection systems (IDS) is to detect attacks against information systems and networks. Normal use of the network and its functioning can also be monitored with an IDS. It can be used to control, for example, the use of management and signaling protocols, or the network traffic related to some less critical aspects of system policies. These complementary usages can generate large numbers of alerts, but still, in operational environment, the collection of such data may be mandated by the security policy. Processing this type of alerts presents a different problem than correlating alerts directly related to attacks or filtering incorrectly issued alerts. We aggregate individual alerts to alert flows, and then process the flows instead of individual alerts for two reasons. First, this is necessary to cope with the large quantity of alerts - a common problem among all alert correlation approaches. Second, individual alert's relevancy is often indeterminable, but irrelevant alerts and interesting phenomena can be identified at the flow level. This is the particularity of the alerts created by the complementary uses of IDSes. Flows consisting of alerts related to normal system behavior can contain strong regularities. We propose to model these regularities using non-stationary autoregressive models. Once modeled, the regularities can be filtered out to relieve the security operator from manual analysis of true, but low impact alerts. We present experimental results using these models to process voluminous alert flows from an operational network.