Ahmad Baraani

Work place: University of Isfahan, Isfahan, Iran

E-mail: ahmadb@eng.ui.ac.ir

Website:

Research Interests: Information Security, Network Security, Information Systems, Information Retrieval, Information Theory

Biography

Ahmad Baraani, is an associate professor of computer engineering at the Faculty of Engineering of the University of Isfahan (UI). He got his BS in Statistics and Computing in 1977. He got his MS and PhD degrees in Computer Science from George Washington University in 1979 and University of Wollongong in 1996, respectively. He was Head of the Research Department of the Communication systems and Information Security (CSIS). He has published more than 70 papers and He coauthored three books in Persian and received an award of "the Best e-Commerce Iranian Journal Paper".

Author Articles
An Architecture for Alert Correlation Inspired By a Comprehensive Model of Human Immune System

By Mehdi Bateni Ahmad Baraani

DOI: https://doi.org/10.5815/ijcnis.2014.12.06, Pub. Date: 8 Nov. 2014

Alert correlation is the process of analyzing, relating and fusing the alerts generated by one or more Intrusion Detection Systems (IDS) in order to provide a high-level and comprehensive view of the security situation of the system or network. Different approaches, such as rule-based, prerequisites consequences-based, learning-based and similarity-based approach are used in correlation process. In this paper, a new AIS-inspired architecture is presented for alert correlation. Different aspects of human immune system (HIS) are considered to design iCorrelator. Its three-level structure is inspired by three types of responses in human immune system: the innate immune system's response, the adaptive immune system's primary response, and the adaptive immune system's secondary response. iCorrelator also uses the concepts of Danger theory to decrease the computational complexity of the correlation process without considerable accuracy degradation. By considering the importance of signals in Danger theory, a new alert selection policy is introduced. It is named Enhanced Random Directed Time Window (ERDTW) and is used to classify time slots to Relevant (Dangerous) and Irrelevant (Safe) slots based on the context information gathered during previous correlations. iCorrelator is evaluated using the DARPA 2000 dataset and a netForensics honeynet data. Completeness, soundness, false correlation rate and the execution time are investigated. Results show that iCorrelator generates attack graph with an acceptable accuracy that is comparable to the best known solutions. Moreover, inspiring by the Danger theory and using context information, the computational complexity of the correlation process is decreased considerably and makes it more applicable to online correlation.

[...] Read more.
Time Window Management for Alert Correlation using Context Information and Classification

By Mehdi Bateni Ahmad Baraani

DOI: https://doi.org/10.5815/ijcnis.2013.11.02, Pub. Date: 8 Sep. 2013

Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Several alert correlation systems use pairwise alert correlation in which each new alert is checked with a number of previously received alerts to find its possible correlations with them. An alert selection policy defines the way in which this checking is done. There are different alert selection policies such as select all, window-based random selection and random directed selection. The most important drawback of all these policies is their high computational costs. In this paper a new selection policy which is named Enhanced Random Directed Time Window (ERDTW) is introduced. It uses a limited time window with a number of sliding time slots, and selects alerts from this time window for checking with current alert. ERDTW classifies time slots to Relevant and Irrelevant slots based on the information gathered during previous correlations. More alerts are selected randomly from relevant slots, and less or no alerts are selected from irrelevant slots. ERDTW is evaluated by using DARPA2000 and netforensicshoneynet data. The results are compared with other selection policies. For LLDoS1.0 and LLDoS2.0 execution times are decreased 60 and 50 percent respectively in comparing with select all policy. While the completeness, soundness and false correlation rate for ERDTW are comparable with other more time consuming policies. For larger datasets like netforensicshoneynet, performance improvement is more considerable while the accuracy is the same.

[...] Read more.
Other Articles