Conference Paper

A Lightweight Intrusion Alert Fusion System

Sch. of Inf. Sci. & Eng., Central South Univ., Changsha, China
DOI: 10.1109/HPCC.2010.120 Conference: 12th IEEE International Conference on High Performance Computing and Communications, HPCC 2010, 1-3 September 2010, Melbourne, Australia
Source: DBLP


In this paper, we present some practical experience on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of insecure design or rarely deployed because of their complexity. As confirmed by our experimental analysis, unsuitable mechanisms could easily be submerged by an abundance of useless alerts. Even with the use of methods that achieve a high fusion rate and low false positives, attack is also possible. To find the solution, we carried out analysis on a series of alerts generated by well-known datasets as well as realistic alerts from the Australian Honey-Pot. One important finding is that one alert has more than an 85% chance of being fused in the following 5 alerts. Of particular importance is our design of a novel lightweight Cache-based Alert Fusion Scheme, called CAFS. CAFS has the capacity to not only reduce the quantity of useless alerts generated by IDS (Intrusion Detection System), but also enhance the accuracy of alerts, therefore greatly reducing the cost of fusion processing. We also present reasonable and practical specifications for the target-oriented fusion policy that provides a quality guarantee on alert fusion, and as a result seamlessly satisfies the process of successive correlation. Our experimental results showed that the CAFS easily attained the desired level of survivable, inescapable alert fusion design. Furthermore, as a lightweight scheme, CAFS can easily be deployed and excel in a large amount of alert fusions, which go towards improving the usability of system resources. To the best of our knowledge, our work is a novel exploration in addressing these problems from a survivable, inescapable and deployable point of view.

  • Source
    • "Second, a node that suffers from a calibration error may continuously produce unusually large or small constant measurements. In the physical layer, a deceptive jammer may transmit a random signal or constant stream of bytes into the network [6], [7] in which case a long-term abnormal pattern will occur in the network traffic of every jammed node. However, existing anomaly detection techniques, as detailed in Section 2, usually operate in a point-based manner that handles each observation individually. "
    [Show abstract] [Hide abstract]
    ABSTRACT: In wireless sensor networks (WSNs), it has been observed that most abnormal events persist over a considerable period of time instead of being transient. As existing anomaly detection techniques usually operate in a point-based manner that handles each observation individually, they are unable to reliably and efficiently report such long-term anomalies appeared in an individual sensor node. Therefore, in this paper, we focus on a new technique for handling data in a segment-based manner. Considering a collection of neighbouring data segments as random variables, we determine those behaving abnormally by exploiting their spatial predictabilities and, motivated by spatial analysis, specifically investigate how to implement a prediction variance detector in a WSN. As the communication cost incurred in aggregating a covariance matrix is finally optimised using the Spearman's rank correlation coefficient and differential compression, the proposed scheme is able to efficiently detect a wide range of long-term anomalies. In theory, comparing to the regular centralised approach, it can reduce the communication cost by approximately 80 percent. Moreover, its effectiveness is demonstrated by the numerical experiments, with a real world data set collected by the Intel Berkeley Research Lab (IBRL).
    Full-text · Article · Feb 2015 · IEEE Transactions on Parallel and Distributed Systems
  • Source
    • "4. The alerts nearby more likely to be caused by different network intrusion behaviors. Yang, et al. [6] proposed 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops 978-0-7695-4676-6/12 $26.00 © 2012 IEEE DOI 10.1109/IPDPSW.2012.146 1191 2012 IEEE "
    [Show abstract] [Hide abstract]
    ABSTRACT: There is a big difference between the IDS alerts from the network backbone and those from the lab. But there is little work has been done to mine attack models in IDS alerts from the network backbone. The contributions of this paper are three-fold. First, we propose an alert reduction method based on statistical redundancy (RMSR) to reduce the alert redundancy. Second, we propose a two-stage clustering algorithm to analyze the spatial and temporal relation of the network intrusion behaviors' alert sequence. Third, we propose a novel approach, Loose Longest Common Subsequence (LLCS), to extract the attack models of network intrusion behaviors. The experiment result shows that the reduction approach reduces the IDS alerts redundancy efficiently, and the attack models generated have a strong logical relation.
    Full-text · Conference Paper · May 2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we propose a new approach to manage alerts flooding in IDSs. The proposed approach uses semantic analysis and ontology engineering techniques to combine and fuse two or more raw IDS alerts into one summarized hybrid/meta-alert. Our approach applies a new method based on measuring the semantic similarity between IDS alerts attributes to identify the alerts that are suitable for aggregation and summarization. In contrast to previous works our approach ensures that the aggregated alerts will not lose any valuable information existing in the raw alerts set. The experimental results show that our approach is effective and efficient in fusing massive number of alerts compared to previous works in the area.
    No preview · Conference Paper · Dec 2011
Show more