Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
article
info
Article history:
Received 1 April 2011
Received in revised form
30 March 2012
Accepted 7 April 2012
Available online 25 April 2012
Keywords:
Alert management
Alert verification
Vulnerability database
Alert correlation
Intrusion detection system
abstract
Traditional Intrusion Detection Systems (IDSs) are known for generating large volumes of alerts despite all
the progress made over the last few years. The analysis of a huge number of raw alerts from large networks
is often time consuming and labour intensive because the relevant alerts are usually buried under heaps of
irrelevant alerts. Vulnerability based alert management approaches have received considerable attention
and appear extremely promising in improving the quality of alerts. They filter out any alert that does not
have a corresponding vulnerability hence enabling the analysts to focus on the important alerts. However,
the existing vulnerability based approaches are still at the preliminary stage and there are some research
gaps that need to be addressed. The act of validating alerts may not guarantee alerts of high quality
because the validated alerts may contain huge volumes of redundant and isolated alerts. The validated
alerts too lack additional information needed to enhance their meaning and semantic. In addition, the
use of outdated vulnerability data may lead to poor alert verification. In this paper, we propose a fast and
efficient vulnerability based approach that addresses the above issues. The proposed approach combines
several known techniques in a comprehensive alert management framework in order to offer a novel
solution. Our approach is effective and yields superior results in terms of improving the quality of alerts.
2012 Elsevier B.V. All rights reserved.
1. Introduction
Management of security in large networks is a challenging task
because new threats and flaws are being discovered every day. In
fact, the number of exploited vulnerabilities continues to rise as
computer networks grow. Intrusion Detection Systems (IDSs) are
used to manage network security in many organisations. They provide an extra layer of defence by gathering and analysing information in a network in order to identify possible security breaches [1].
There are two broad types of IDSs: signature based and anomaly
based. The former uses a database of known attack signatures for
detection while the latter uses a model of normative system behaviour and observes deviations for detection [2]. If an intrusion is
detected, an IDS generates a warning known as alert or alarm.
IDSs are designed with a goal of delivering alerts of high quality
to analysts. However, the traditional IDSs have not lived up to this
promise. They trigger an overwhelming number of unnecessary
alerts that are primarily false positives resulting from non existing
intrusions. Analysing the alerts of this nature is a challenging task
and therefore the alerts are prone to be misinterpreted, ignored or
Corresponding authors.
E-mail addresses: hnjogu@yahoo.com (H.W. Njogu), luojiawei@hnu.edu.cn
(L. Jiawei), jayri505@yahoo.com (J.N. Kiere), hadamfr@yahoo.fr
(D. Hanyurwimfura).
0167-739X/$ see front matter 2012 Elsevier B.V. All rights reserved.
doi:10.1016/j.future.2012.04.001
delayed. The important alerts are often buried and hidden among
thousands of other unverified, irrelevant and low priority alerts.
There are several reasons that lead IDSs to generate huge numbers
of alerts such as IDS systems being unaware of the network context
they are protecting [3,4]. Signature based IDSs are often run with
a default set of signatures. Therefore, alerts are generated for most
of the attack attempts irrespective of success or failure to exploit
vulnerability in the network under consideration. In fact, signature
based IDSs usually do not check the effectiveness of an attack to
the local network context thus contributing to a high number of
false positive alerts [2]. Further, most of the traditional IDSs have
limited observation abilities in terms of network space as well as
the kind of attacks they can deal with [5]. Attack evidences against
network resources can be scattered over several hosts. In fact, it is
a challenging issue to have an IDS with properly deployed sensors
able to detect the attacker traces at different spots in the network
and be able to find dependencies among them.
Research has shown that most of the damages result from vulnerabilities existing on application, services, ports and protocols of
hosts and networks [6]. Fixing all the known vulnerabilities before
damaging intrusions take place in order to reduce the number of
alerts [7,8] may not be effective especially in large networks because of the following limitations:
28
29
30
anomaly detector engine, for alerts generated by the IDS. For every
attack there may not be a corresponding output anomaly and this
could result in false negatives. Further, the time window used
to look for the correlation is very critical for correctness of the
scheme; a very small time window may lead to missing of attacks
while a large time window may result in increase of false positive
alerts. More so, this approach does not reduce the redundant and
isolated alerts after verification.
In an effort to reduce the amount of false positives, Colajanni
et al. [7] present a scheme to filter innocuous attacks by taking
advantage of the correlation between the IDS alerts and detailed
information concerning the protected information systems. Some
of the core units of the scheme are filtering and ranking units.
The authors extended this work by proposing a distributed
architecture [22] to provide security analysts with selective and
early warnings. One of its core components is the alert ranking
unit that correlates alerts with vulnerability assessment data.
According to this approach, alerts are ranked based on match
or mismatch of alerts between the alert and the vulnerability
assessment data. We considered this type of ranking to be limiting
because of two reasons: First, it relies on match or mismatch of
only one feature (software or application) to make the decision
whether an alert is critical or non critical. Secondly, it does not
show the degree of relevance of alerts hence it does not offer much
help to the analyst. In our approach, alerts are ranked in different
levels according to their degree of interestingness. Further the
two aforementioned approaches do not reduce the redundant and
isolated alerts contained in the validated alerts.
Massicotte et al. [23] propose a possible correlation approach
based on integration of Snort, Nessus and Bugtraq databases. The
approach uses reference numbers (identifiers) found on Snort
alerts. The reference numbers refer to Common Vulnerability
Exposure (CVE), Bugtraq and Nessus scripts. The authors show a
possible correlation based on the reference numbers. However, it
is not effective because not all alerts have reference numbers. In
addition, there is no guaranty that the lists provided by CVE and
Bugtraq contain complete listing of vulnerabilities.
Neelakantan and Rao [24] propose an alert correlation approach
comprising of three stages: (i) finding vulnerabilities in the network under consideration, (ii) creating a database of all vulnerabilities having reference numbers (CVE or Bugtraq) and (iii) selecting
signatures that correspond to the identified vulnerabilities. This
approach requires reconfiguration of the signatures when there is a
network change (such as hosts being added or removed) leading to
downtime of the IDS engine. Moreover, it only handles alerts with
reference numbers thus lowering detection rates due to incompleteness of vulnerability reference numbers. The approach does
not reduce the redundant and isolated alerts contained in the validated alerts.
There have been efforts to evaluate alerts using some metrics
based on vulnerability data but have not been used all together as
proposed in our paper. For example, Bakar and Belaton [25] propose an Intrusion Alert Quality Framework (IAQF) for improving
alert quality. Central to this approach is the use of vulnerability information that helps to compute alert metrics (such as accuracy,
reliability, correctness and sensitivity) in order to prepare them for
higher level reasoning. The framework improves the alert quality
before alert verification. However, the approach does not reduce
the redundant and isolated alerts after alert verification. A similar
work is presented by Chandrasekaran et al. [26]. The authors propose an aggregated vulnerability assessment and response against
zero-day exploits. The approach uses metrics such as deviation
in number of alerts, relevance of the alerts and variety of alerts
generated in order to prepare the final alerts. The work is limited
to zero day attacks while our work handles different types of attacks. In addition, the authors have not given details on how the
threat profile is constructed and how the alerts are verified. Alsubhi
et al. [27] present an alert management engine known as FuzMet
which employs several metrics (such as severity, applicability, importance and sensor placement) and a fuzzy logic based approach
for scoring and prioritising alerts. Although some of the metrics
are similar to the ones proposed in our work, there are several
key differences. The scheme tag metrics on the unverified alerts
(raw alerts) containing unnecessary alerts while in our work, only
the validated alerts are tagged with metrics i.e. metrics are only
tagged to the necessary alerts that show a certain degree of relevance to the network context in order to improve the accuracy of
the final alerts. In addition, our work employs fewer metrics yet
it is very powerful to improve the performance of alert management. Further, we use a simpler procedure to compute for the alert
metrics.
Njogu and Jiawei [28] propose a clustering approach to reduce
the unnecessary alerts. The approach uses vulnerability data to
compute for alert metrics. It determines the similarity of alerts
based on the alert metrics and the alerts that show similarity
are grouped together in one cluster. We have extended this
previous work by implementing a better architecture of building
a dynamic vulnerability data that draws information from three
sources i.e. network resource data, known vulnerability database
and scan reports from multiple vulnerability scanners. In addition,
our new work correlates alerts based on both alert features and
alert metrics. We have also introduced the concepts of alert
classification and prioritisation based on alert metrics.
A more recent and interesting work which is closer to our work
is presented by Hubballi et al. [2]. The authors propose a false
positive alert filter to reduce false alerts without manipulating
the default signatures of IDSs. Central to this approach is the
creation of a threat profile of the network which forms the basis
of alert correlation. The method correlates the IDS alerts with
network specific threats and filters out false positive alerts. This
involves two steps: (i) alerts are correlated with vulnerabilities to
generate correlation binary vector generation and (ii) classification
of correlation binary vectors using the neural networks. The idea of
correlating alerts with vulnerabilities in the work is promising in
delivering accurate alerts. However, this approach does not reduce
the number of redundant and isolated alerts after alert verification.
Further comparisons are presented in Section 3.1.4.
Al-Mamory and Zhang [29] note that most of the general
alert correlation approaches such as Julisch [30], Valdes and
Skinner [31], Debar and Wespi [32], Al-Mamory and Zhang [33],
Sourour et al. [34], Jan et al. [35], Lee et al. [36] and Perdisci
et al. [37] do not make full use of the information that is available
on the network under consideration. The general alert correlation
approaches usually rely on the information on the alerts which
may not be comprehensive and reliable to understand the nature
of the attack and may lead to poor correlation results. In fact,
correlating alerts that refer to failed attacks can easily result in
the detection of whole attack scenarios that are nonexistent. Thus,
it is useful to integrate the network context information in alert
correlation in order to identify the exact level of threat that the
protected systems are facing.
With respect to the related work, we noted that most
vulnerability based approaches proposed in the literature are able
to validate alerts successfully. However, validating alerts may
not guarantee alerts of high quality. For example, the validated
alerts may contain massive number of redundant and isolated
alerts from the same intrusion event and those carried out in
different stages. Such issues have received little attention in the
research field. In order to address the shortcomings of vulnerability
based approaches, our work has synergised several techniques in
a comprehensive alert management framework in order to build a
novel solution.
31
32
33
34
Table 1
Alert metrics.
Alert metric
Scale
Alert relevance
(importance of an alert)
09
Alert severity
(criticality of an alert)
If Alerts priority (1) matches with EVA datas severity (High) then Alert Severity = 1
13
Else if Alerts priority (2) matches with EVA datas severity (Medium) then Alert
Severity = 2
Else if Alerts priority (3) matches EVA datas severity (Low) then the alert
severity = 3.
NB: cases where there are no matches e.g. if Alert priority (1 or 2) and EVA
data = Low or Medium then refer to the severity of EVA data
Alert frequency
(rate of alert occurrence)
01
The value of this metric is stored in the alert source data. It is easier to extract the
confidence value of sensors because each alert has sensorId field.
06
35
Table 2
Pre-processed alert snapshot.
Reference Id
Name
SensorId IPdest
Portdest IPsrc
Portsrc
Priority
(severity)
Protocol Class
CVE-1999-0001
CVE-1999-0527
Teardrop
Telnet
resolv host
conf.
1
2
1238
1026
1238
1026
High
Medium
TCP
TCP
192.168.1.3
192.168.1.2
192.168.1.1
192.168.1.1
Time
Application
DoS
9:9:2011:10:12:05 Windows
U2R
9:9:2011:10:12:06 Telnet,
(Telnet)
Windows
Name
IP address
Port
Priority (severity)
Protocol
Class
Time
Application
CVE-1999-0001
CVE-1999-0527
Teardrop
Telnet resolv host conf.
192.168.1.3
192.168.1.2
1238
1026
High
Medium
TCP
TCP
DoS
U2R (Telnet)
8:9:2011:14:16:02
8:9:2011:14:16:02
Windows
Telnet, Windows
Table 4
Alert sensor data snapshot.
Sensor Id
Sensor score
1
2
5
2
36
Generally, the vulnerability based alert management approaches are not able to deal with unknown vulnerabilities and
intrusions [12]. In this work, we designed a policy to reduce the influence of the unknown vulnerabilities and intrusions during alert
verification. This policy minimises cases such as: relevant alerts being ignored or considered as irrelevant alerts simply because they
fail to match the vulnerabilities in EVA data when they are being
validated. This policy addresses the following four cases:
Table 5
Fuzzy rule base.
Rule
Relevance
Severity
Frequency
Source confidence
Class
1
2
3
...
N
High
High
High
...
Low
High
High
High
...
Low
High
High
Low
...
Low
High
Low
High
...
Low
Class 1
Class 2
Class 3
...
Class k
The results from the alert verifier (alerts with four metrics)
are used as input to the fuzzy logic inference engine in order to
determine the interestingness of alerts i.e. we consider the four
alert metrics of an alert as the input metrics. The input metrics
are fuzzified to determine the degree to which they belong to
each of the appropriate fuzzy sets via membership functions.
Membership functions are curves that define how each point in
the input space is mapped to a degree of membership between 0
and 1. The membership functions of all input metrics are defined
in this step. The summary of membership functions in each input
metric is: RelevanceLow or High; SeverityLow, Medium or
High; FrequencyLow or High and; Source confidenceLow or
High. In this work, we used a Guassian distribution to define the
membership functions.
We used domain experts to define a set of IF THEN rules as
illustrated in Table 5. In total, we established 11 classes that
represent different levels of alert interestingness for every group
of attacks. These rules represent all possible and desired cases
in order to improve the efficiency of the inference engine. We
eliminated rules that were contradicting and meaningless. Each
rule consists of two parts: antecedent or premise (between IF and
THEN) and a consequent block (following THEN). The antecedent
is associated with input while the consequent is associated with
output. The inputs are combined logically with operators such as
AND to produce output values for all expected inputs. The general
form of the classification rule that takes alert metrics as input and
class as output is illustrated below:
Rule: IF feature A is high AND feature B is high AND feature C is
high AND feature D is high THEN Class = class 1. From Table 5, we
can extract a fuzzy rule as follows:
R1:IF Relevance is High AND Severity is High AND Frequency is High
AND Source Confidence is High THEN class = Class 1.
From the above rule, relevance, severity, frequency and source
confidence represent the input variables while class is an output
variable.
In brief, we used the fuzzy logic to determine the interestingness of different alerts contained in the 11 classes for each group
of attacks. As illustrated in Fig. 4, the fuzzy inference system takes
the input values from the four metrics.
The input values take this form DoS (9,1,0,5) where DoS
represents the group of attack, 9 for the relevance score, 1 for
severity, 0 for frequency and 5 for Source confidence . As previously
illustrated in Table 1, the ranges of metrics are: relevance score is
09 (least is 0 and highest is 9), severity is 13 (1 is most severe
and least severe is 3), frequency is 01 (least is 0 and highest is 1)
and source confidence is 06 (least is 0 and highest is 6). The input
metrics are fuzzified using the defined membership functions in
order to establish the degree of membership. The inference uses
the set of rules to process the input metrics. All the outputs are
combined and provided in a single fuzzy set. The fuzzy set is then
defuzzified to give a value that represents the interestingness of an
alert. The alert is then put into the right class.
Unlike other classification schemes that label alerts as either
true positive or false positive, our classifier determines the
interestingness of alerts using several sub classifiers. In addition,
most of the existing classification schemes require a lot of
37
38
Our alert correlator is fed with classified alerts that are already
validated as input. As discussed earlier, the alert verification
process helps to filter out any alert without a corresponding
vulnerability. This means that the alert correlator processes
alerts of high quality thus giving better results unlike other
correlation methods such as [31,34,36,37] which are fed with
unverified alerts. As noted earlier, if a correlation system
receives unverified alerts (containing false positives) as input,
the quality of the correlation results may degrade significantly
leading to false positive alerts being misinterpreted or given
undue attention [17]. In addition, our approach drastically
reduces the overhead (such as processing time and storage)
associated with unverified and unnecessary alerts.
Most of the previous correlation methods such as Valdes and
Skinner [31] and Lee et al. [36] use only one correlation schema
to correlate different alerts. Our correlator is designed with
respect to the alert classes of different groups of attacks.
An alert class contains alerts with similar metrics that are
generated by one group of attack. Our correlation component
has 6 correlators and each has eleven sub correlators that
corresponds to 11 alert classes i.e. each alert class has a
corresponding sub correlator and is adjusted dynamically and
automatically accordingly. Handling a specific class of alerts by
a corresponding sub correlator definitely simplifies the process
of alert correlation.
Our approach is able to detect a wide range of attacks
in early stages including single and multi-step attacks and
deliver realistic results. Our approach delivers meta alerts that
represent the attack dimensions as illustrated later in the next
sub section. More so, our solution is able to find the new attacks
using the undefined attack sub correlator.
Finally, our solution is able to prioritise alerts accordingly. The
alert correlator component separates alerts according to their
degree of interestingness as discussed later in the next sub
sections.
3.3.2. Attack dimensions
We use three general patterns of meta alerts to represent attack
dimensions. Alerts are grouped according to: source address, target
address and attack id:
39
and Resolve host conf); SQL attacks(SQL server buffer overflow and
SQL injection); MySql (SSL hello message overflow).
About 80% of attacks were non relevant meaning they could
not exploit any vulnerability of the test bed and about 20% of
attacks were relevant meaning that they were able to exploit the
vulnerabilities of the test bed.
We designed a program in JAVA to implement various
components such as Alert-Meta alert history correlator, Alert-EVA
data verifier and alert correlator. The program is used together
with WEKA tools (FURIA) [51] to classify alerts.
4.2. EVA data
EVA data is a comprehensive database implemented on MySql
platform. It represents the threat profile of the test bed. EVA
data lists network specific vulnerabilities by reference id, name,
severity, IP address, port, protocol, class, time and application as
discussed in Section 3. To populate EVA data, we used various
up-to-date vulnerability scanners such as GFI Languard [52] and
Nessus [53]. They capture and report threats and vulnerabilities
(in ports, applications etc.) of the test bed. They use different
techniques to detect vulnerabilities and are set to run periodically
to look for new vulnerabilities. We used Perl scripts to process
the reports from the scanners. Because vulnerabilities are dynamic
in nature, the special agents (in form of Perl scripts) are installed
in the hosts to track changes in applications, services and
configuration and then update EVA data.
EVA data and IDS product (in this case Snort) may use different
attack details such as reference ids and names when referring
to the same attack. This could have an impact when computing
for alert scores. Actually, standardisation of attack details is a
global issue affecting alert management. Therefore, there are no
unique attack details such as reference ids to reference all types of
attacks. Standardised schemes such as CVE have been developed
to uniquely reference and directly map attack information to
vulnerabilities. IDS products such as Snort refer their signatures to
standard CVE. However, not all attacks have assigned CVE ids as
reference ids. For example, only 33% of attacks signatures in Snort
2003 have CVE ids. To address this, we examined the attack details
(such as reference ids and names) of vulnerabilities and attacks
contained in EVA data and Snort. We determined the coverage
overlap of standardised attack details between EVA data and Snort
and then included additional attack details based on Snort into EVA
data. That is, EVA data uses Snort attack details to complement CVE
when referring to attacks. We limited the coverage of this exercise
to the attacks used in the test bed. This solution helps to ensure
the completeness of attack details in EVA data because if attack
details are missed then the computation of alert score is affected
negatively.
4.3. Alert sensor data
It keeps the profile (such as sensorId, sensor score and
confidence value) of all Snort sensors in the test bed. The
alert sensor data is implemented on MySql. We carried our
experiments with the goal of establishing the confidence values
of sensors. We used attack and attack free data in controlled
and uncontrolled environments to observe how sensors faired in
terms of consistence in alert output, accuracy and detection rates,
number of alerts, ratio of interesting alerts to non interesting alerts
and false alert rates.
In order to have accurate confidence values, we considered
aspects such as current versions of signatures, time when the last
update occurred, alert output, accuracy and detection rates, the
degree of threats and risks, previous experience of the analysts,
type of traffic being handled, environment being monitored among
other aspects. These aspects explicitly demonstrate the confidence
of sensors. We used the following policy that takes into account of
the aforementioned aspects:
40
TP
TP + FN
TP
TP + FN
41
Table 6
Precision and detection rate of raw alerts (Snort).
Alerts/group
DoS
Telnet
FTP
MySql
Sql
Attacks
Relevant attacks
Non relevant attacks
Snort alerts collected (Unverified)
TP
FP
FN
Precision (%)
Detection rate (%)
689
107
582
705
101
604
6
14.3
94.3
943
171
772
973
165
808
6
16.9
96.4
1387
247
1140
1408
242
1166
5
17.1
97.9
1190
172
1018
1217
169
1048
3
13.8
98.2
1168
155
1013
1203
149
1054
6
12.3
96.1
Table 7
Precision and detection rate of validated alerts (after stage 1).
Alerts/group
DoS
Telnet
FTP
Mysql
Sql
705
101
96
5
11
95.0
89.7
85.6
973
165
160
5
11
96.9
93.5
83
1408
242
236
6
11
97.5
95.5
82.8
1217
169
164
5
8
97.0
95.3
86.1
1203
149
142
7
13
95.3
91.6
87.6
Table 8
Performance resultStage 1.
Percentage/Group
DoS
Telnet
FTP
Mysql
Sql
19.8
80.2
20.2
79.8
20.3
79.7
19.2
80.8
21.1
78.9
relevant attack but the EVA data has not registered a corresponding
vulnerability for this attack. Table 7 indicates that at least 82% of
input alerts were eliminated in stage 1. Therefore, the alert load of
the alert classification component is significantly reduced.
4.4.2. Stage 2Alert classification
The fuzzy based alert classification component classifies alerts
according to the alert metrics. We implemented all aspects (such
as rule base) of the alert classifier in WEKA (FURIA). The classifier
was trained by replaying the test data over and again to produce
the desired results with high accuracy. The classification rules
were modified accordingly. It may be noted that this component
is trained to handle alerts with alert metrics corresponding to all
sets of attacks used in the test bed.
Each class contains alerts reporting one group of attacks. We
observed that the ideal interesting alerts form a small fraction
as compared to the partial interesting alerts. We also noted that
the alert classification component successfully classified alerts
according to the alert metrics.
To demonstrate the importance of the proposed system, we
compared the classification results produced manually (manual
classification) and results from the system and noted that it did not
only take longer time to manually classify the alerts but also there
were numerous cases where alerts were misclassified, ignored or
misinterpreted.
The result in Fig. 6 indicates that ideal interesting alerts
represent at least 8% of the classified alerts while the rest are partial
interesting alerts. Our classifier successfully separated the ideal
interesting alert classes from the partial interesting alert classes.
Nf
N
From the correlation results shown in Tables 9 and 10, the alert
correlation component reduces the redundant alerts contained
in the alert classes by at least 80% for the ideal interesting
42
DoS
Telnet
FTP
Mysql
Sql
16
17
30
19
10
1
1
2
1
1
1
1
2
1
1
1
1
1
1
0
81.2
82.3
83.3
84.2
80.0
Table 10
Meta alerts based on alert classes for partial interesting alerts.
Group
DoS
Telnet
FTP
Mysql
Sql
85
148
212
150
139
7
9
15
9
11
4
6
8
6
5
4
5
10
7
7
82.3
86.4
84.4
85.3
83.4
43
Table 11
Maximum processing time.
Alert stage
0.012
0.014
0.033
0.004
0.192
0.241 s (via Alert-EVA data verifier)
and 0.204 s (successful alert correlated
via Alert-Meta alert history correlator)
0.035
0.005
0.199
0.253 s (via Alert-EVA data verifier) and 0.213 s
(successful alert correlated via Alert-Meta alert
history correlator)
introduce sensible delays and the analysts are able to react early
enough to different attacks. The speed can further be improved by
implementing better searching algorithms and representation of
meta alerts (in the meta alert history) and vulnerabilities (in EVA
data).
4.7. Comparison with existing methods
The proposed approach offers superior performance. It improves the quality of alerts as well as reduces the redundant and
isolated alerts generated by a wide range of attacks. The proposed solution helps the analysts when evaluating and making
the right decision about the final alerts. In terms of configuration,
this approach is very efficient and easy to use. It can be applied to
other signature based IDSs without configuring their default signatures. EVA data has to be updated with the attack reference details
of those IDS products. However, our approach experienced some
challenges that affected the performance. Generally, it is difficult to
measure the confidence of IDS sensors because a sensor may have
different confidence values in different network environments. The
experiment revealed that sensors with high confidence produced
reliable alerts unlike sensors with low confidence when placed in
the same environment. It is important to review the parameters
(such as false alert rate) and the sensor score thresholds in order
to fit in different environments. Other shortcomings that need to
be addressed in future are described in the conclusion section.
The proposed approach is compared with Hubballis approach [2] as shown in Table 12. Both approaches use vulnerability data to validate alerts in order to improve the quality of alerts.
Our approach is complimentary to Ref. [2] by not only improving
the quality of alerts but also reducing unnecessary alerts. In fact
reducing redundant and isolated alerts (unnecessary alerts) is the
major focus of our work. The unnecessary alerts in this case refer
to redundant ideal interesting and partial interesting alerts.
We computed the comparison rates (such as reduction
rates, precision and detection rates) using the functions already
discussed earlier in this section. The proposed approach has the
best reduction rates in terms of false positives, redundant ideal
interesting alerts and redundant partial interesting alerts. This is
because our system has 11 dedicated sub correlators for each group
of attack that are well configured to reduce the redundant and
isolated alerts.
In addition, the precision and detection rates of the proposed
approach were slightly lower than Ref. [2] because we used sensors
of different versions (2.0, 2.4, 2.6, 2.9). In fact, the proposed system
works well in environment using different versions of IDS sensors.
This is explained by the fact that, we included the attack details
of the attacks used in the test bed into EVA data to serve a
complementary role when alerts are being verified. Therefore, the
proposed approach is reliable because sensors of different source
confidence have a little impact on the precision. Our work has
other additional features: Alerts are prioritised according to their
interestingness and the final alerts indicate attack dimensions
hence assisting the analysts to manage alerts more effectively.
44
Our approach
Technique
Initial alerts (input)
Reduction rate of false positives (%)
Reduction rate of redundant ideal interesting alerts (%)
Reduction rate of redundant partial interesting alerts (%)
Precision (%)
Detection rate (%)
97
95.4
5. Conclusion
This paper proposes a comprehensive approach to address
the shortcomings of the vulnerability based alert management
approaches. In this paper, it is noted that the act of validating
the alerts may not guarantee the final alerts of high quality. For
example, the validated alerts may contain a massive number of
redundant and isolated alerts. Therefore, the analysts who review
the validated alerts are likely to take longer time to understand
the complete security incident because it would involve evaluating
each redundant alert. We have proposed a fast and efficient
approach that improves the quality of alerts as well as reduces
the volumes of redundant alerts generated by signature based
IDSs. In summary, our approach has several components that are
presented in three stages: Stage 1 involves alert pre-processing,
correlation of alerts against the meta alert history and verification
of alerts against EVA data; Stage 2 involves classification of alerts
based on their alert metrics; and Stage 3 involves correlation of
alerts in order to reduce the redundant and isolated alerts as
well discover the causal relationships in alerts. We conducted
experiments to demonstrate the effectiveness of the proposed
approach by processing alerts from five different classes of attacks.
We recorded impressive results in alert reduction rates as well as
precision rates while closely maintaining the detection rate of IDS.
As part of our future work, we are planning to address the
following shortcomings. The way IDS products and vulnerabilities
reference each other does not allow efficient correlation of alerts
and their corresponding vulnerabilities. We designed a mapping
facility that maps attack reference details into EVA data which is
not as flexible and scalable as we wanted. However, this is the first
step towards realising our desired goal of having an automated
facility that maps attacks details into EVA data. In addition, we have
tried to address the issue of unknown attacks and vulnerabilities
in our study however this concept needs to be explored. A better
mechanism to explore relationships among meta alerts in order to
gain deeper understanding regarding different classes of attacks
need to be studied. Finally, we plan to use the meta alert history
to modify and tune the IDS signatures in order to further improve
the future quality of alerts.
Acknowledgments
This work is partially supported by Hunan University. We
are grateful to the anonymous reviewers for their thoughtful
comments and suggestions to improve this paper.
References
[1] C. Thomas, N. Balakrishnan, Improvement in intrusion detection with
advances in sensor fusion, IEEE Transactions on Information Forensics and
Security 4 (3) (2009) 542550.
[2] N. Hubballi, S. Biswas, S. Nandi, Network specific false alarm reduction in
intrusion detection system, Security and Communication Networks 4 (11)
(2011) 13391349. John Wiley and Sons.
[3] T. Pietraszek, Using adaptive alert classification to reduce false positives
in intrusion detection, RAID04, in: The Proceedings of the Symposium on
Recent Advances in Intrusion Detection, vol. 3324, Springer, France, 2004,
pp. 102124.
45
[51] WEKA.
http://weka.sourceforge.net/doc.packages/fuzzyUnorderedRuleInduction/.
[52] GFI Languard. www.gfi.com.
[53] Nessus. www.nessus.org.