Deakin Research Online
Deakin University’s institutional research repository
DDeakin Research Online
This is the published version ( version of record) of:
Wen, Sheng, Xiang, Yang and Zhou, Wanlei 2010, A lightweight intrusion alert fusion
system, in HPCC 2010 : Proceedings of the 12th IEEE International Conference on High
Performance Computing and Communications, IEEE, Piscataway, N.J., pp. 695-700.
©20 IEEE. Personal use of this material is permitted. However, permission to
reprint/republish this material for advertising or promotional purposes or for creating
new collective works for resale or redistribution to servers or lists, or to reuse any
copyrighted component of this work in other works must be obtained from the IEEE.
Copyright : 2010, IEEE
ports and change the speed of packet emission. The Snort in
the honey-pot emitted a lot of alerts have different source
ports. We calibrated our design and avoided the appearance
of such cases. Table IV shows the results after calibration.
The fusion rate reached more than 90% after range 2, which
is in concert with the classical datasets. This proves the value
of cached-based mechanism from another point of view.
C. For Deployment
We calculated the maximum number of IDSs for
deployment. Take our PCs for example; we recorded the
fusion durations and the quantities of alerts. The speed for
alert fusion was then evaluated to be more or less 40,000
pieces/second. We introduced 103 pieces/second as a round
evaluation. This meant the PC could endure alerts emitted
from 400 IDSs in traditional centralized architecture. With
cache mechanism applied, it could process ten times more,
which was 4000 IDSs. We declared that the evaluation was
based on experiential computation, which did not take other
parameters into consideration.
In this paper, we have presented several interesting
designs in our project of alert fusion and correlation. Our aim
was to implement a survivable, inescapable and deployable
system. With the introduction of a cached-based mechanism
and target-oriented fusion policy, our system attained
significant improvements to achieve our original intention.
Stick: http://www.securityfocus.com/tools/1974 [accessed 1.8.2010]
Snot: http://www.securityfocus.com/tools/1983 [accessed 1.8.2010]
Jouni Viinikka, Herve Debar, Ludovic Me, Anssi Lehikoinen, Mika
Tarvainen, Processing Intrusion Detection Alert Aggregates with
Time Series Modeling, Information Fusion 10, 312-324, 2009.
H.Debar, A.Wespi, Aggregation and Correlation of Intrusion-
Detection Alerts, in: The 4th International Symposium on Recent
Advances in Intrusion Detection, Davis, CA, USA, 2001.
Fiona Carmichiael, A Guide to Game Theory, Prentice Hall, Pearson
Education Limited, first published 2005.
MITDarpa Dataset [accessed 1.8.2010]
Treasure Hunt Dataset http://www.cs.ucsb.edu/~vigna/treasurehunt/
Defcon Dataset http://cctf.shmoo.com/ [accessed 1.8.2010]
P.A. Porras, P.G. Neumann, EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances, in: Proceedings of the
20th National Information Systems Security Conference, 1997.
 Federico Maggi, Matteo Matteucci, Stefano Zanero, Reducing False
Positives in Anomaly Detectors Through Fuzzy Alert Aggregation,
Information Fusion 10, 300-311, 2009.
 Ciza Thomas and N. Balakrishnan, Improvement in Intrusion
Detection With Advances in Sensor Fusion, IEEE Transactions on
Information Forensics and Security, Vol. 4. No. 3, 2009.
 A. Valdes, K. Skinner, Probabilistic Alert Correlation, in: RAID’00:
Proceedings of the Fourth International Symposium on Recent
Advances in Intrusion Detection, Springer-Verlag, London, 2001.
 Guofei Gu, Alvaro A. Cardenas, Wenke Lee, Principled Reasoning
and Practical Applications of Alert Fusion in Intrusion Detection
Systems, in: Proceedings of ACM Symposium on information,
Computer and Communications Security, Tokyo, Japan, 2008.
 Oliver Dain?Robert K. Cunningham, Fusing a Heterogeneous Alert
Stream into Scenarios, in: Proceeding of the ACM Workshop on Data
Mining for Security, Rennes, France, 2001.
 Zhichun Li, Yan Chen and Aaron Beach, Towards Scalable and
Robust Distributed Intrusion Alert Fusion with Good Load Balancing,
in: Proceedings of ACM SIGCOMM Workshop on Large-Scale
Attack Defense, Pisa, Italy, 2006.
 Jouni Viinikka, Herve Debar, Time Series Modeling for IDS Alert
Management, in: Proceedings of ACM Symposium on information,
Computer and Communications Security, Taipei, Taiwan, 2006.
 K.Julisch, Mining Alarm Clusters to Improve Alarm Handling
Efficiency, in: Proceeding of 17th Annual Computer Security
Applications Conference, New Orleans, Louisiana, 2001.
 K.Julisch, Clustering Intrusion Detection Alarms to Support Root
Cause Analysis, ACM Transaction on Information and System
Security, vol. 2, No. 3, pages 111-138, 2002.
 Devi Parikh, Tsuhan Chen, Data Fusion and Cost Minimization for
Intrusion Detection, in: IEEE Transactions on Information Forensics
and Security, Vol 3, pp.381-389, 2008.
 Janakiraman, Marcel Waldvogel, Qi Zhang, Indra: A peer-to-peer
approach to network intrusion detection and prevention, in: IEEE
WETICE Workshop on Enterprise Security, Linz, Austria, 2003.
 Vinod Yegneswaran et..al Global intrusion detection in DOMINO
overlay system, in: Proceedings of NDSS, San Diego, USA, 2004.
 Snapp.S.R., Smaha S.E., Grance T., Teal D.M., DIDS (Distributed
Intrusion Detection System) – motivation, architecture and an early
prototype, in: Proceedings of the 14th National Computer Security
Conference, Washington, DC, 1991.
 Min Cai, Kai Hwang, Collaborative Internet Worm Containment, in:
IEEE Security and Privacy Magazine, Vol 3, Issue 5, pp.25-33, 2005.
 Zhou C.V., Karunasekera S., Leckie C., Evaluation of a Decentralized
Architecture for Large Scale Collaborative Intrusion Detection, in:
IEEE International Symposium on Integrated Network Management,
Munich, Germany, 2007.
 Ming Xu, Chaochi Lin, Chen Qin, A Multiple Keyword Fusion
Scheme for P2P IDS Alert, in: Proceedings of 1st International
Conference on Intelligent Networks and Intelligent Systems, 2008.
 IP-Traffic [accessed 1.8.2010]
 Oinkmaster: http://oinkmaster.sourceforge.net/ [accessed 1.8.2010]
 RFC 4765: The Intrusion Detection Message Exchange Format
COMPARISON OF FUSION DURATIONS (SECOND)
Defcon 8MIT 98 Test part
813.116 707.056 68.808
822.926 713.374 69.009
817.045 705.166 68.782
Defcon 10 Orange
MIT 99 Test part
Gray Area: traditional centralized fusion scheme.
White Area: CAFS.
NOA: number of alerts.
Rate: the decrease percentage of fusion durations.
CALIBRATION OF ALERT FUSION ON THE AUSTRALIAN HONEY-POT
2 3 4
90.39% 92.97% 93.69%
1 5 6 7 8 9 10
75.73% 94.22% 94.49% 94.73% 94.75% 95.00% 95.00%