Abstract
Intrusion redundancies are fundamental flaws of all intrusion detection systems. Over the years, these are frequently exploited by stealthy attackers to conceal network attacks because it is fundamentally difficult to discern false alerts from true positives in a massive dataset. Consequently, attacks that are concealed in massive datasets often go undetected. Accordingly, the jobs of system administrators and the return on investment on network intrusion detectors are often threatened. Therefore, this paper presents clustering method that we have designed to lessen these problems. We have broadly evaluated our method on six datasets that comprised of synthetic and realistic attacks. Alerts of each dataset were clustered into equivalent and unique alerts and a cluster of unique alerts was eventually synthesized from them. The results that we have obtained have indicated how system administrators could achieve substantial reduction of redundancies in corporate networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aleksandar, L., Vipin, K., Jaidep, S.: Intrusion detection: A survey. Computer Science Department, University of Minnesota (2005)
Alfonso, V., Keith, S.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm Reduction and Correlation in Intrusion Detection Systems, Department of Computer Science, Linkoping University, Sweden (2004)
Cuppens, F., Miege, A.: Alert correlation in cooperative intrusion detection framework. In: Proceedings of IEEE symposium on security and privacy (2002)
Capture The Flag Contest-Defcon datasets (2009), http://cctf.shmoo.com/data/
DARPA.: Intrusion Detection Scenario Specific Data Sets (2009), http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html
Debar, H., Wespi, A.: Aggregation and correlation of intrusion detection alerts. In: Proceedings of international symposium on recent advances in intrusion detection, Davis, CA, pp. 85–103 (2001)
Fatima, L.S., Mezrioui, A.: Improving the quality of alerts with correlation in intrusion detection. International Journal of Computer Science and Network Security 7(12) (2007)
Hartsein, B.: Intrusion Detection Likelihood: A Risk-Based Approach SANS Institute (2008)
Internet Protocol: Internetworking Technology overview (1999), cisco.com/en/US/docs/../technology/handbook/Internet-Protocols.pdf (2009)
Jan, N.Y., Lin, S.C., Tseng, S.S., Lin, N.P.: A decision support system for constructing an alert classification model. Journals of Expert Systems with Applications (February 2009)
Kabiri, P., Ghorbani, A.A.: A Rule-Based Temporal Alert Correlation System. International Journal of Network Security 5(1), 66–72 (2007)
Morin, B., Me, L., Debar, H., Ducass, M.: M2D2: A formal data model for IDS alerts correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)
Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through correlation of alerts, department of computer science, NC state University, USA (2002)
Paxson, V.: Considerations and Pitfalls for Conducting Intrusion Detection Research, International Computer Science Institute and Lawrence Berkeley National Laboratory Berkeley, California USA (2007)
Roesch, M.: Introduction to Snort, A lightweight Intrusion-Detection-System (2009), http://www.seren.net/documentation/unix%20utilities/Snort.pdf
Sadoddin, R., Ghorbani, A.: Network Security Laboratory, University of New Brunswick, Fredericton, Canada (2006)
Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS), Recommendations of the National Institute of Standards and Technology, Special Publication 800-94, Technology Administration, Department of Commerce, USA (2007)
Urko, Z., Roberto, U.: Intrusion Detection Alarm Correlation: A Survey, Computer Science Department, Mondragon University, Gipuzkoa Spain (2004)
Wang, L., Liu, A., Jajodia, S.: Using attack graph for correlating, hypothesizing, and predicting intrusion alerts. Science Direct, pp. 2917–2933. Elsevier, Amsterdam (2006)
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A Comprehensive approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing 1(3) (2004)
Xinzhou, Q., Wenke, L.: Discovering Novel Attack Strategies from INFOSEC Alerts, College of Computing Georgia Institute of Technology, Atlanta, GA 30332, USA (2004)
Yusof, R., Sulamat, S.R., Sahib, S.: Intrusion Alert Correlation Technique Analysis for Heterogeneous Log. International Journal of Computer Science and Network Security 8(9) (September 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Nehinbe, J.O. (2010). A Simple Method for Improving Intrusion Detections in Corporate Networks. In: Weerasinghe, D. (eds) Information Security and Digital Forensics. ISDF 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 41. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11530-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-11530-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11529-5
Online ISBN: 978-3-642-11530-1
eBook Packages: Computer ScienceComputer Science (R0)