Skip to main content
SpringerLink
Log in

A Bio-inspired Comprehensive Distributed Correlation Approach for Intrusion Detection Alerts and Events

  • Chapter
  • First Online:
Bio-inspiring Cyber Security and Cloud Services: Trends and Innovations

Part of the book series: Intelligent Systems Reference Library ((ISRL,volume 70))

Abstract

In a complex network with intrusion detectionIntrusion detection and logging, a huge number of alerts and logs are generated to report the status of the network, servers, systems, and applications running on this network. The administrator(s) are required to analyze these pieces of information to generate an overview about the network, hacking attempts and vulnerable points within the network. Unfortunately, with the enormous number of alerts and recorded events that grows as the network grows, this task is almost impossible without an analysis and reporting model. Alerts and events correlation is a process in which the alerts produced by one or more intrusion detectionIntrusion detection systems and events generated from different systems and security tools are analyzed and correlated to provide a more succinct and high-level view of occurring or attempted intrusions and attacks. While the existing correlation techniques improve the intrusion detectionIntrusion detection results and reduce the huge number of alerts in a summarized report, they still have some drawbacks. This article presents a modular framework for a Distributed Agent Correlation Model (DACM) for intrusion detectionIntrusion detection alerts and events in computer networks. The framework supports the integration of multiple correlation techniques. It introduces a multi-agent distributed model in a hierarchical organization; correlates alerts from the IDS with attack signatures from information security tools and either system or application log files as other sources of information. The agent model is inspired by bio-distribution of cooperating members of a society to achieve a common goal. Each local agent aggregates/correlates events from its source according to a specific pattern matching. Correlation between multiple sources of information and the integration of these correlation agents together forms a complete integrated correlation system and reduces both false negative and false positive alerts, enhancing intrusion detectionIntrusion detection accuracy and completeness. The model has been implemented and tested using a set of datasets. Agents proposed models and algorithms have been implemented, analyzed, and evaluated to measure detection and correlation rates and the reduction rateReduction rate of false positive and false negative alerts. The results showed that DACM enhances both the accuracy and completeness of intrusion detectionIntrusion detection by reducing both false positive and false negative alerts; it also enhances the early detection new threats.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Taha, A.E.: Intrusion detection correlation in computer network using multi-agent system. Ph.D. Thesis, University of Ain Shams, Cairo, Egypt, 2011

    Google Scholar 

  2. Tran, Q.A., Jiang, F., Ha, Q.M.: Evolving block-based neural network and field programmable gate arrays for host-based intrusion detection system. In: 2012 Fourth International Conference on Knowledge and Systems Engineering (KSE), IEEE, 2012

    Google Scholar 

  3. Elshoush, H.T., Osman, I.M.: An improved framework for intrusion alert correlation. Proceedings of the World Congress on Engineering, Vol I, pp. 1–6, 4–6 July. London, U.K (2012)

    Google Scholar 

  4. Tran, Q.A., Jiang, F., Hu, J.: A real-time netflow-based intrusion detection system with improved BBNN and high-frequency field programmable gate arrays. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2012

    Google Scholar 

  5. Spathoulas, Georgios, Katsikas, Sokratis: Methods for post-processing of alerts in intrusion detection: a survey. Int. J. Inf.Secur. Sci. 2(2), 64–80 (2013)

    Google Scholar 

  6. Jiang, F., Michael F., Hu, J.:A bio-inspired host-based multi-engine detection system with sequential pattern recognition. In: IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC), 2011

    Google Scholar 

  7. Shittu, R. et al.: Visual analytic agent-based framework for intrusion alert analysis. In: IEEE International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2012

    Google Scholar 

  8. Elshoush, H.T., Osman, I.M.: Intrusion alert correlation framework: an innovative approach. In: IAENG Transactions on Engineering Technologies, pp. 405–420. Springer, The Netherlands (2013).

    Google Scholar 

  9. Jiang, F., Ling, S.S.H., Agbinya, J.I.: A nature inspired anomaly detection system using multiple detection engines. In: IEEE 2011 6th International Conference on Broadband and Biomedical Communications (IB2Com), 2011

    Google Scholar 

  10. Bahaa-Eldin, A.M.: Time series analysis based models for network abnormal traffic detection. In: 2011 International Conference on Computer Engineering & Systems (ICCES), pp. 64–70, 29 Nov–1 Dec 2011. doi:10.1109/ICCES.2011.6141013

    Google Scholar 

  11. Tucker, C.J.: Performance Metrics for Network Intrusion Systems (2013)

    Google Scholar 

  12. Gabra, H.N., Bahaa-Eldin, A.M., Korashy H.:Classification of ids alerts with data mining techniques . In: 2012 International Conference on Internet Study (NETs2012), Bangkok, Thailand, 2012

    Google Scholar 

  13. Gabra, H.N., Bahaa-Eldin, A.M., Korashy HM.: Data mining based technique for IDS alerts classification. Int. J. Electron. Commer. Stud. 5(1), 1–6 (2014) (Academy of Taiwan Information Systems Research)

    Google Scholar 

  14. Porras, P., Fong, M., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the. International Symposium. The Recent Advances in Intrusion Detection, pp. 95–114. Zurich, Switzerland, Oct 2002

    Google Scholar 

  15. Long, W., Xin, Y., Yang, Y.: ‘Vulnerabilities analyzing model for alert correlation in distributed environment. In: 2009 IITA International Conference on Services Science, Management and Engineering, pp. 408–411. Nov 2009

    Google Scholar 

  16. Jiang,G., Member., Cybenko, G.: Temporal and spatial distributed event correlation for network security. In: Proceedings of the American Control Conference, 30 June–2 July 2004

    Google Scholar 

  17. Eid, M., Artail, H., Kayssi, A., Chehab, A.: A lightweight adaptive mobile agent-based intrusion detection system LAMAIDS. Int. J. Netw. Secur. 6(2), 145–157 (2008)

    Google Scholar 

  18. Dastjerdi, A.V., Bakar, K.A.: A novel hybrid mobile agent based distributed intrusion detection system. In: Proceedings of World Academy of Science, Engineering and Technology, vol. 35. ISSN 2070–3740, Nov 2008

    Google Scholar 

  19. Liu, J., Li, L.: A distributed intrusion detection system based on agents. In: 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application, pp. 553–557, Dec 2008

    Google Scholar 

  20. Crosbie, M., Spafford, G.: Active defense of computer system using autonomous agent. Technical report no 95–008, COAST group, computer science department, Purdue University, February, 1995

    Google Scholar 

  21. Balasubramaniyan, J.S., Spafford, E., Zamboniy, D.: An architecture for intrusion detection using autonomous agents. COAST technical report 98/05, COAST Laboratory, Purdue University, 11 June 1998

    Google Scholar 

  22. Ktata, F.B., El-Kadhi, N., Ghedira, K.: Distributed agent architecture for intrusion detection based on new metrics. In: Proceeding 2009 Third International Conference on Network and System, Security, pp. 321–327, Oct 2009

    Google Scholar 

  23. Mohamed, A.A., Basir, O.: Fusion based approach for distributed alarm correlation in computer networks. In: 2010 Second International Conference on Communication Software and Networks, pp. 318–324, Feb 2010

    Google Scholar 

  24. Mohamed, A.A., Basir, O.: An adaptive multi-agent approach for distributed alarm correlation and fault identification. In: Proceedings of the Ninth IASTED International Conference on Parallel and Distributed Computing and Networks, Feb 2010

    Google Scholar 

  25. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1, 146–69 (2004)

    Google Scholar 

  26. Valeur, F.: Real-time intrusion detection alert correlation, Ph.D. Thesis, University of California Santa Barbara, Santa Barbara, California, USA, (2006)

    Google Scholar 

  27. Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation Challenges and Solutions. Springer, New York (2005). ISBN: 0-387-23398-9

    Google Scholar 

  28. David W Chadwick, “Network Firewall Technologies”, Technical Report, IS Institute, University of Salford, Salford, M5 4WT, England.

    Google Scholar 

  29. Kak, A.: Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and Penetration Testing, Lecture Notes on Computer and Network Security, April 15, Purdue University (2014). https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture23.pdf

  30. Veysset, F., Butti, L.: Honey pot technologies. First Conference, France Télécom R&D, June 2006

    Google Scholar 

  31. Wireshark, Network Protocol Analyzer. http://www.wireshark.org, June 2010

  32. Taha, A.E., Ghaffar, I.A., Bahaa-Eldin, A.M., Mahdi, H.M.K.: Agent based correlation model for intrusion detection alerts. In: Proceeding of IEEE International Conference on Intelligence and Security Informatics (ISI 2010), pp. 89–94. Vancouver, Canada May 2010

    Google Scholar 

  33. Ghaffar, I.A.,Taha, A.E., Bahaa-Eldin, A.M., Mahdi, H.M.K.: Towards implementing agent based correlation model for real-time intrusion detection alerts. In: Proceeding of 7th International Conference on Electrical Engineering, ICEENG 2010, MTC, Cairo, Egypt, May 2010

    Google Scholar 

  34. Bahaa-Eldin, A.M., Mahdi, H.M.K., Taha, A.E., Ghaffar, I.A.: Dynamic Parallel correlation Model for intrusion detection alerts, posterIn. In: Annual Information Security Symposium of Center of Education and Research of Information Assurance and Security (CERIAS), Purdue University, West Lafayette. Indiana, USA, March 2010

    Google Scholar 

  35. Center of Education and Research for Information Assurance and Security (CERIAS). http://www.cerias.purdue.edu, June 2011

  36. Snort—the open source network intrusion prevention and detection system. http://www.snort.org (2010)

  37. Basic Analysis and Security Engine (BASE). http://base.securei-deas.net/about.php. June 2010

  38. Nessus Vulnerabilty Scanner. http://www.nessus.org. June 2010

  39. Nmap- Network Mapper, Security Scanner For Network Exploration & Hacking. http://nmap.org June, 2010

  40. Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, pp. 31–38. ACM Press, Sept 2000

    Google Scholar 

  41. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. Washington, D.C., Nov 2002

    Google Scholar 

Download references

Acknowledgments

I would like to thank the Center for Education and Research of Information Assurance and Security (CERIAS), Purdue University, USA. I appreciate the valuable support of the CERIAS executive director Prof Eugene Spafford, the generous effort of his staff especiallyInformation Assurance Research Engineer Keith Watson, for their cooperation during the scholar visit to the Center. They provided great resources to capture and collect the data needed for this work.

Author information

Authors and Affiliations

  1. Computer and Systems Engineering Department, Ain Shams University, Cairo, Egypt

    Ayman M. Bahaa-Eldin

Authors
  1. Ayman M. Bahaa-Eldin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ayman M. Bahaa-Eldin .

Editor information

Editors and Affiliations

  1. Faculty of Computers and Information, Cairo University, Cairo, Egypt

    Aboul Ella Hassanien

  2. Multimedia Control and Assurance Laboratory, Hannam University, Taejeon, Korea, Republic of (South Korea)

    Tai-Hoon Kim

  3. Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland

    Janusz Kacprzyk

  4. Faculty of Engineering, Al Azhar University, Qena, Egypt

    Ali Ismail Awad

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Bahaa-Eldin, A. (2014). A Bio-inspired Comprehensive Distributed Correlation Approach for Intrusion Detection Alerts and Events. In: Hassanien, A., Kim, TH., Kacprzyk, J., Awad, A. (eds) Bio-inspiring Cyber Security and Cloud Services: Trends and Innovations. Intelligent Systems Reference Library, vol 70. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43616-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-43616-5_1

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-43615-8

  • Online ISBN: 978-3-662-43616-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation