1Department of Computer Science and Biomedical Informatics, University of Central Greece, 2-4 Papasiopoulou St., Lamia, GR-35100, Greece, e-mail: gspathoulas@ucg.gr 2Department of Digital Systems, School of Information and Communication, University of Piraeus, 150 Androutsou St., Piraeus, GR-18532, Greece, e-mail: gspathoulas@unipi.gr 3Department of Digital Systems, School of Information and Communication, University of Piraeus

Abstract

Methods for post-processing of alerts in intrusion detection: A survey

Abstract

Intrusion detection is an important protection tool for computer systems and networks. In recent years it has become an essential piece in the IT security infrastructure of large organizations. Even though intrusion detection systems are installed in an increasing rate, they are often misused as the quality of alerts they produce is not satisfactory. High alert volume, high false positives rate and low level of information are the main reasons that security analysts cannot take full advantage of intrusion detection alert-sets. The aim of this survey is to summarize intrusion detection alerts' post-processing research, which is categorized in false positives reduction, alerts' correlation and visualisation. The most important efforts in the field are analyzed, while all recent methods are presented. Finally the present and the future of alerts post-processing research field is discussed.

Keywords

• —Intrusion detection
• alerts
• post-processing
• false positives reduction
• correlation
• visualization

References

1. A. Valdes and K. Skinner, “Probabilistic alert correlation,” in Recent Advances in Intrusion Detection (RAID 2001), ser. Lecture Notes in Computer Science, no. 2212. Springer-Verlag, 2001.
2. H. Ren, N. Stakhanova, and A. Ghorbani, “An online adaptive approach to alert correlation,” in Detection of Intrusions and Malware, and Vulnerability Assessment, ser. Lecture Notes in Computer Science, C. Kreibich and M. Jahnke, Eds. Berlin Heidelberg, 2010, vol. 6201, pp. 153–172. Springer
3. K. Julisch, “Clustering intrusion detection alarms to support root cause analysis,” ACM Trans. Inf. Syst. Secur., vol. 6, no. 4, pp. 443–471, Nov. 2003.
4. S. Lee, B. Chung, H. Kim, Y. Lee, C. Park, and H. Yoon, “Real-time analysis of intrusion detection alerts via correlation,” Computers & Security, vol. 25, no. 3, pp. 169 – 183, 2006.
5. H. Debar and A. Wespi, “Aggregation and correlation of intrusion-detection alerts,” in Proceedings of the 4th Interna- tional Symposium on Recent Advances in Intrusion Detection, ser. RAID ’00, 2001, pp. 85–103.
6. P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack sce- narios through correlation of intrusion alerts,” in Proceedings of the 9th ACM conference on Computer and communications security, ser. CCS ’02.
7. ACM, 2002, pp. 245–254.
8. X. Qin and W. Lee, “Attack plan recognition and prediction using causal networks,” in Computer Security Applications Conference, 2004. 20th Annual, 2004, pp. 370–379.

9. S. J. Yang, A. Stotz, J. Holsopple, M. Sudit, and M. Kuhl, “High level information fusion for tracking and projection of multistage cyber attacks,” Information Fusion, vol. 10, no. 1, pp. 107 – 121, 2009.
10. P. Liu, W. Zang, and M. Yu, “Incentive-based modeling and inference of attacker intent, objectives, and strategies,” ACM Trans. Inf. Syst. Secur., vol. 8, no. 1, pp. 78–118, Feb. 2005.
11. F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, “A com- prehensive approach to intrusion detection alert correlation,” IEEE Transactions on Dependable and Secure Computing, vol. 1, pp. 146–169, 2004.
12. J. O. Nehinbe, “Automated method for reducing false positives,” in Intelligent Systems, Modelling and Simulation (ISMS), 2010 International Conference on, January 2010, pp. 54–59.
13. ——, “Concurrent reduction of false positives and redundant alerts,” in Information Society (i-Society), 2010 International Conference on, June 2010, pp. 318–323.
14. G. Victor, M. Rao, and V. Venkaiah, “A bayesian classification on asset vulnerability for real time reduction of false positives in ids,” International Journal of Network Security and Its Applications (IJNSA), vol. 4, no. 2, pp. 63–73, March 2012.
15. H.-S. Lin, H.-K. Pao, C.-H. Mao, H.-M. Lee, T. Chen, and Y.-J. Lee, “Adaptive alarm filtering by causal correlation considera- tion in intrusion detection,” in New Advances in Intelligent De- cision Technologies, ser. Studies in Computational Intelligence. Springer Berlin Heidelberg, 2009, vol. 199, pp. 437–447.
16. A. Thomas, “Rapid: Reputation based approach for improving intrusion detection effectiveness,” in Information Assurance and Security (IAS), 2010 Sixth International Conference on, August 2010, pp. 118 –124.
17. G. P. Spathoulas and S. K. Katsikas, “Reducing false positives in intrusion detection systems,” Computers & Security, vol. 29, no. 1, pp. 35 – 44, 2010.
18. Y. Meng and L.-f. Kwok, “Adaptive false alarm filter using machine learning in intrusion detection,” in Practical Applica- tions of Intelligent Systems, ser. Advances in Intelligent and Soft Computing. 573–584.
19. S. Khanchi and F. Adibnia, “False alert reduction on network- based intrusion detection systems by means of feature frequen- cies,” in Advances in Computing, Control, Telecommunication Technologies, 2009. ACT ’09. International Conference on, December 2009, pp. 513 –516.
20. J. Treinen and R. Thurimella, “Finding the needle: Suppression of false alarms in large intrusion detection data sets,” in Compu- tational Science and Engineering, 2009. CSE ’09. International Conference on, vol. 2, August 2009, pp. 237 –244.
21. S. O. Al-Mamory and H. Zhang, “Intrusion detection alarms reduction using root cause analysis and clustering,” Computer Communications, vol. 32, no. 2, pp. 419 – 430, 2009.
22. T. Alapaholuoma and J. Nieminen, “A behavior-based method for rationalizing the amount of ids alert data,” ICCGI 2012, The Seventh International Multi-Conference on Computing in the Global Information Technology, June 2012.
23. S. Kim, W. Cheng, S. Guo, L. Luan, D. Rosu, and A. Bose, “Polygraph: system for dynamic reduction of false alerts in large-scale it service delivery environments,” in Proceedings of the 2011 USENIX conference on USENIX annual technical conference, ser. USENIXATC’11. USENIX Association, 2011.
24. F. Maggi, M. Matteucci, and S. Zanero, “Reducing false pos- itives in anomaly detectors through fuzzy alert aggregation,” Information Fusion, vol. 10, no. 4, pp. 300–311, October 2009.
25. G. P. Spathoulas and S. K. Katsikas, “Using a fuzzy inference system to reduce false positives in intrusion detection,” in Systems, Signals and Image Processing, 2009. IWSSIP 2009. 16th International Conference on.
26. IEEE, 2009, pp. 1–4.
27. N. Hubballi, S. Biswas, and S. Nandi, “Network specific false alarm reduction in intrusion detection system,” Security and Communication Networks, vol. 4, no. 11, pp. 1339–1349, November 2011.
28. A. Mohamed, N. Idris, and B. Shanmugum, “Alert correlation using a novel clustering approach,” in Communication Systems and Network Technologies (CSNT), 2012 International Confer- ence on, May 2012, pp. 720 –725.
29. D. Man, W. Yang, W. Wang, and S. Xuan, “An alert aggre- gation algorithm based on iterative self-organization,” Procedia Engineering, vol. 29, no. 0, pp. 3033 – 3038, 2012.
30. A. Kumar, A. Vivekanand, K. Kavitha, M. Gracevennice, and T. Manohar, “Data stream intrusion alert aggregation for genera- tive data stream modelling,” International Journal of Advanced Research in Computer Engineering & Technology(IJARCET), vol. 1, no. 7, 2012.
31. G. C. Tjhai, S. M. Furnell, M. Papadaki, and N. L. Clarke, “A preliminary two-stage alarm correlation and filtering system using som neural network and k-means algorithm,” Computers & Security, vol. 29, no. 6, pp. 712 – 723, 2010.
32. R. Vaarandi and K. Podins, “Network ids alert classification with frequent itemset mining and data clustering,” in Network and Service Management (CNSM), 2010 International Confer- ence on, October 2010, pp. 451 –456.
33. C. Fung, Q. Zhu, R. Boutaba, and T. Basar, “Bayesian decision aggregation in collaborative intrusion detection networks,” in Network Operations and Management Symposium (NOMS), 2010 IEEE, April 2010, pp. 349 –356.
34. M. Ficco and L. Romano, “A correlation approach to intrusion detection,” in Mobile Lightweight Wireless Systems, ser. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer Berlin Heidel- berg, 2010, vol. 45, pp. 203–215.
35. B. Morin, L. Me, H. Debar, and M. Ducasse, “A logic-based model to support alert correlation in intrusion detection,” Infor- mation Fusion, vol. 10, no. 4, pp. 285 – 299, 2009.
36. C. V. Zhou, C. Leckie, and S. Karunasekera, “Decentralized multi-dimensional alert correlation for collaborative intrusion detection,” Journal of Network and Computer Applications, vol. 32, no. 5, pp. 1106 – 1123, 2009.
37. Z. Czirkos, M. Rencz, and G. Hosszu, “Improving attack aggre- gation methods using distributed hash tables,” in ICIMP 2012, The Seventh International Conference on Internet Monitoring and Protection, May 2012, pp. 82–87.
38. C. Thomas and N. Balakrishnan, “Improvement in intrusion detection with advances in sensor fusion,” Information Forensics and Security, IEEE Transactions on, vol. 4, no. 3, pp. 542 –551, September 2009. [37] G. P. performance through “Enhancing alert ids processing,” Computers & Security, 2013. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0167404813000503
39. S. Benferhat, A. Boudjelida, K. Tabia, and H. Drias, “An intrusion detection and alert correlation approach based on re- vising probabilistic classifiers using expert knowledge,” Applied Intelligence, pp. 1–21, 2012.
40. E. Raftopoulos and X. Dimitropoulos, “Detecting, validating and characterizing computer infections in the wild,” in Pro- ceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, ser. IMC ’11. ACM, 2011, pp. 29–44.
41. J. Viinikka, H. Debar, L. Me, A. Lehikoinen, and M. Tarvainen, “Processing intrusion detection alert aggregates with time series modeling,” Information Fusion, vol. 10, no. 4, pp. 312 – 324, 2009, ¡ce:title¿Special Issue on Information Fusion in Computer Security¡/ce:title¿.
42. A. E. Taha, I. A. Ghaffar, A. M. Bahaa Eldin, and H. M. K. Mahdi, “Agent based correlation model for intrusion detection alerts,” in Intelligence and Security Informatics (ISI), 2010 IEEE International Conference on, May 2010, pp. 89 –94.
43. J. R. G. J. L. Bogdan Denny Czejdo, Erik M. Ferragut, “Net- work intrusion detection and visualization using aggregations in a cyber security data warehouse,” International Journal of Communications, Network and System Sciences, vol. 5, no. 9, pp. 593–602, September 2012.
44. U. Zurutuza, E. Ezpeleta, l. Herrero, and E. Corchado, “Vi- sualization of misuse-based intrusion detection: Application to honeynet data,” in Soft Computing Models in Industrial and Environmental Applications, 6th International Conference SOCO 2011, ser. Advances in Intelligent and Soft Computing. Springer Berlin Heidelberg, 2011, vol. 87, pp. 561–570.
45. F. Mansmann, F. Fischer, D. A. Keim, and S. C. North, “Visual support for analyzing network traffic and intrusion detection events using treemap and graph representations,” in Proceedings of the Symposium on Computer Human Interaction for the Man- agement of Information Technology, ser. CHiMiT ’09. 2009, pp. 3:19–3:28. ACM,
46. Nurbol, H. Xu, H. Yang, F.-E. Meng, and L. Hu, “A real-time intrusion detection security visualization framework based on planner-scheduler,” in Innovative Computing, Information and Control (ICICIC), 2009 Fourth International Conference on, December 2009, pp. 784 –788.
47. M. Dumas, J.-M. Robert, and M. McGuffin, “Alertwheel: ra- dial bipartite graph visualization applied to intrusion detection system alerts,” Network, IEEE, vol. 26, no. 6, pp. 12 –18, November-December 2012.
48. G. Spathoulas, “Improving intrusion detection alerts,” Ph.D. dis- sertation, Department of Digital Systems, University of Piraeus, 2013.
49. R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, “The 1999 darpa off-line intrusion detection evaluation,” Com- put. Netw., vol. 34, no. 4, pp. 579–595, Oct. 2000.
50. J. McHugh, “Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 262–294, 2000.
51. M. V. Mahoney and P. K. Chan, “An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection,” in In Proceedings of the Sixth International Sympo- sium on Recent Advances in Intrusion Detection. Verlag, 2003, pp. 220–237. Springer
52. S. Terry and B. J. Chow, “An assessment of the darpa ids evaluation dataset using snort,” 2005.
53. A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “To- ward developing a systematic approach to generate benchmark datasets for intrusion detection,” Computers & Security, vol. 31, no. 3, pp. 357 – 374, 2012.
54. A. Sperotto, R. Sadre, D. F. van Vliet, and A. Pras, “A labeled data set for flow-based intrusion detection,” in Proceedings of the 9th IEEE International Workshop on IP Operations and Management, IPOM 2009, Venice, Italy, ser. Lecture Notes in Computer Science, vol. 5843. pp. 39–50.
55. Springer Verlag, October 2009,