Measuring False-Positive by Automated Real-Time Correlated Hacking Behavior Analysis

Quantified Score

Visualization

Abstract

To solve the contradiction between the trend of more distributed network architecture and the demanding for more centralized correlated analysis to detect more complicated attacks from Intrusion Detection System (IDS), we first proposed in this paper an IDS architecture framework, which could collect relevant detected alert data from distributed diverse IDSes into one or more centralized point(s), and then efficient correlation analysis would be processed on shared data, after that, the meaningful and supportive knowledge rules from analysis results were be generated and automatically pushed back to each subscribed local IDS on scheduled time or even in real time, so that local IDS could utilize these rules to analyze new coming traffic. We also defined the XML format for those knowledge rule information generated by our hacking behavior correlation algorithms. We then presented seven mathematical algorithms on correlated hacking behavior analysis. In order for local IDS to effectively measure the false positive possibility of a new coming alert, we introduced three different approaches using some data mining and statistic models, including 1-Rule, Bagging Method and Native Bayer Method. By applying these methods to utilize and analyze the collected correlated knowledge rules, we could derive quite good quality of true attack confidence value for each coming detected alert. We also developed a simulation program implementing all these correlation algorithms and all those data mining and statistic models. We simply tested these algorithms with MIT Lincoln Lab's 1999 IDS evaluation data, and concluded that by utilizing these preliminary results, local IDS subscribed to this framework could derive a certain measurement of how confident an alarm is true attack in real time manner and even lower false positive rate if certain threshold applied.