HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs

Karim Tabia, Philippe Leray

2010

Abstract

Probabilistic graphical models are very efficient modeling and reasoning tools. In this paper, we propose an efficient and novel Bayesian network model for a major problem in alert correlation which plays a crucial role in nowadays computer security. Indeed, the use of multiple intrusion detection systems (IDSs) and complementary approaches is fundamental to improve the overall detection rates. This however inevitably rises huge amounts of alerts most of which are redundant and false alarms making the manual analysis of all the amounts of triggered alerts intractable. In this paper, we first propose a Bayesian network-based model allowing to handle the reliability of IDSs when predicting severe attacks by correlating the alerts reported by the IDSs monitoring the network. Then we propose a flexible and efficient approach especially designed to limit the false alarm rates by controlling the confidence of the prediction model. Finally, we provide experimental studies carried out on a real and representative alert corpus showing significant improvements regarding the tradeoffs between the prediction rates and the corresponding false alarm ones.

References

  1. Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ.
  2. Benferhat, S., Kenaza, T., and Mokhtari, A. (2008a). False alert filtering and detection of high severe alerts using naive bayes. In Computer Security Conference(CSC'08), South Carolina.
  3. Benferhat, S., Kenaza, T., and Mokhtari, A. (2008b). Treeaugmented naive bayes for alert correlation. In 3rd conference on Advances in Computer Security and Forensics(ACSF'08), pages 45-52.
  4. Benferhat, S. and Sedki, K. (2008). Alert correlation based on a logical handling of administrator preferences and knowledge. In International Conference on Security and Cryptography(SECRYPT'08), pages 50-56, Porto, Portugal.
  5. Bin, Z. and Ghorbani, A. (2006). Alert correlation for extracting attack strategies. I. J. Network Security, 3(3):244-258.
  6. Cheng, J. and Greiner, R. (2001). Learning bayesian belief network classifiers: Algorithms and system. In 14th Conference of the Canadian Society on Computational Studies of Intelligence, pages 141-151, London, UK. Springer-Verlag.
  7. Chow, C. (1970). On optimum recognition error and reject tradeoff. IEEE Transactions on Information Theory, 16(1):41-46.
  8. Chow, C. and Liu, C. (1968). Approximating discrete probability distributions with dependence trees. Information Theory, IEEE Transactions on, 14(3):462-467.
  9. Cuppens, F. and Miège, A. (2002). Alert correlation in a cooperative intrusion detection framework. In IEEE Symposium on Security and Privacy, pages 187-200, USA.
  10. Debar, H., Curry, D., and Feinstein, B. (2007). The Intrusion Detection Message Exchange Format (IDMEF).
  11. Debar, H. and Wespi, A. (2001). Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, pages 85-103, London, UK. Springer-Verlag.
  12. Faour, A. and Leray, P. (2006). A som and bayesian network architecture for alert filtering in network intrusion detection systems. In RTS - Conference on Real-Time and Embedded Systems, pages 1161-1166.
  13. Fawcett, T. (2003). Roc graphs: Notes and practical considerations for data mining researchers. Technical Report HPL-2003-4, HP Laboratories, Palo Alto, CA, USA.
  14. Francois, O. and Leray, P. (2004). Evaluation d'algorithmes d'apprentissage de structure pour les réseaux bayésiens. In Proceedings of 14eme Congrès Francophone Reconnaissance des Formes et Intelligence Artificielle, RFIA 2004, pages 1453-1460, Toulouse, France.
  15. Jensen, F. V. and Nielsen, T. D. (2007). Bayesian Networks and Decision Graphs (Information Science and Statistics). Springer.
  16. Leray, P., Zaragoza, H., and d'Alch-Buc, F. (2000). Pertinence des mesures de confiance en classification. In 12eme Congres Francophone AFRIF-AFIA Reconnaissance des Formes et Intelligence Articifielle (RFIA 2000), pages 267-276, Paris, France.
  17. Morin, B., M, L., Debar, H., and Ducass, M. (2009). A logic-based model to support alert correlation in intrusion detection. Information Fusion, 10(4):285-299.
  18. Ning, P., Cui, Y., and Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM conference on Computer and communications security, pages 245-254, NY, USA. ACM.
  19. Patcha, A. and Park, J. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12):3448- 3470.
  20. Pearl, J. (1988). Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
  21. Staniford, S., Hoagland, J. A., and McAlerney, J. M. (2002). Practical automated detection of stealthy portscans. J. Comput. Secur., 10(1-2):105-136.
  22. Tjhai, G. C., Papadaki, M., Furnell, S., and Clarke, N. L. (2008). Investigating the problem of ids false alarms: An experimental study using snort. In 23rd International Information Security Conference SEC 2008, pages 253-267.
  23. Valdes, A. and Skinner, K. (2000). Adaptive, model-based monitoring for cyber attack detection. In Recent Advances in Intrusion Detection, pages 80-92.
  24. Valdes, A. and Skinner, K. (2001). Probabilistic alert correlation. In Recent Advances in Intrusion Detection, pages 54-68, London, UK. Springer-Verlag.
  25. Verleysen, M., Rossi, F., and Franc¸ois, D. (2009). Advances in Feature Selection with Mutual Information. In Villmann, T., Biehl, M., Hammer, B., and Verleysen, M., editors, Similarity-Based Clustering, Lecture Notes in Computer Science, pages 52-69. Springer Berlin / Heidelberg.
  26. Wojciech, T. (2008). Anomaly-based intrusion detection using bayesian networks. depcos-relcomex, 0:211-218.
Download


Paper Citation


in Harvard Style

Tabia K. and Leray P. (2010). HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 14-24. DOI: 10.5220/0002949800140024


in Bibtex Style

@conference{secrypt10,
author={Karim Tabia and Philippe Leray},
title={HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={14-24},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002949800140024},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - HANDLING IDS’ RELIABILITY IN ALERT CORRELATION - A Bayesian Network-based Model for Handling IDS’s Reliability and Controlling Prediction/False Alarm Rate Tradeoffs
SN - 978-989-8425-18-8
AU - Tabia K.
AU - Leray P.
PY - 2010
SP - 14
EP - 24
DO - 10.5220/0002949800140024