Time Window Management for Alert Correlation using Context Information and Classification

Full Text (PDF, 264KB), PP.9-16

Views: 0 Downloads: 0

Author(s)

Mehdi Bateni 1,* Ahmad Baraani 2

1. Sheikhbahaee University, Isfahan, Iran

2. University of Isfahan, Isfahan, Iran

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2013.11.02

Received: 3 Jan. 2013 / Revised: 6 Apr. 2013 / Accepted: 11 May 2013 / Published: 8 Sep. 2013

Index Terms

Alert Correlation, Alert selection policy, Time window management, Classification and regression tree (CART)

Abstract

Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Several alert correlation systems use pairwise alert correlation in which each new alert is checked with a number of previously received alerts to find its possible correlations with them. An alert selection policy defines the way in which this checking is done. There are different alert selection policies such as select all, window-based random selection and random directed selection. The most important drawback of all these policies is their high computational costs. In this paper a new selection policy which is named Enhanced Random Directed Time Window (ERDTW) is introduced. It uses a limited time window with a number of sliding time slots, and selects alerts from this time window for checking with current alert. ERDTW classifies time slots to Relevant and Irrelevant slots based on the information gathered during previous correlations. More alerts are selected randomly from relevant slots, and less or no alerts are selected from irrelevant slots. ERDTW is evaluated by using DARPA2000 and netforensicshoneynet data. The results are compared with other selection policies. For LLDoS1.0 and LLDoS2.0 execution times are decreased 60 and 50 percent respectively in comparing with select all policy. While the completeness, soundness and false correlation rate for ERDTW are comparable with other more time consuming policies. For larger datasets like netforensicshoneynet, performance improvement is more considerable while the accuracy is the same.

Cite This Paper

Mehdi Bateni, Ahmad Baraani, "Time Window Management for Alert Correlation using Context Information and Classification", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.11, pp.9-16, 2013. DOI:10.5815/ijcnis.2013.11.02

Reference

[1]A. Ghorbani, W. Lu, and M. Tavallaee. Network Intrusion Detection and Prevention. Springer, New York, 2010.
[2]F. Valeur, G. Vigna, C.Kruegel and R. Kemmerer. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing,2004.p.153-172.
[3]B. Zhu and A. Ghorbani. Alert correlation for extracting attack strategies.International Journal of Network Security, 2006. 3(3):p.244-258.
[4]P. Kabiri and A. Ghorbani. A rule-based temporal alert correlation system. International Journal of Network Security, 2007. 5(1):p.66-72.
[5]Z. Li, A. Zhang, J. Lei and L. Wang. Real-Time Correlation of Network Security Alerts. In proceeding of e-Business Engineering, ICEBE 2007, IEEE International Conference, p.73-80.
[6]H. Ren, N. Stakhanova and A. Ghorbani. An online adaptive approach to alert correlation. Volume 6201 of Lecture Notes in Computer Science, Springer Berlin / Heidelberg, 2010, p.153-172.
[7]H. Ahmadinejad and S.Jalili. Alert Correlation Using Correlation Probability Estimation and Time Windows. In proceedings of the 2009 International Conference on Computer Technology and Development, IEEE Computer Society ICCTD '09,2009. p.170-175.
[8]M. Bateni, A. Baraani, A. Ghorbani and A.Rezaei. An AIS-inspired Architecture for Alert Correlation. International Journal of innovative Computing, Information & Control, 2013. 9(1):p. 231-255.
[9]Y. Yohannes andJ.Hoddinott. Classification and Regression Trees: an introduction. Technical guide, International Food Policy Research Institute (IIFPRI), 1999.
[10]MIT Lincoln Laboratory. Darpa2000 intrusion detection scenario specific data sets. http://www.ll.mit.edu. (last accessed June 2013)
[11]netForensicsHoneynet team.Honeynet traffic logs. http://old.honeynet.org/scans/scan34. (last accessed June 2013)
[12]L.N. de Castro and J.Timmis. Artificial Immune Systems: A new computational intelligence approach. Springer-Verlag London Berlin Heidelberg, 2002.
[13]P. Ning, Y. Cui and D.S. Reeves. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security, 2004. 7(2):p.274–318.