Improving IDSs Alerts To Improve High Quality Network Security By Using Data Mining Technique = Veri Madenciliği Tekniğini İle ID’ler Kullanarak Ağ Güvenliğinin Yüksek Kaliteli Hale Getirilmesi

Yıl 2017, Cilt: 1 Sayı: 2, 17 - 29, 01.02.2018

İsam Kareem Thajeel Osman Nuri Uçan , Oğuz Bayat

Öz

Abstract

Intrusion-Detection-Systems (IDSs) are the best and most effective techniques when it comes to addressing the

threats (such as malware and cyber-attacks etc.) being faced by computer networks; indeed, these systems have

been used for more than 20 years. However, these systems generate a huge number of alerts, a large percentage

of which are false or incorrect. This problem adversely affects the performance and effectiveness of network security.

In this paper, we propose a new system to eliminate duplicated and redundant IDS alerts; the overall aim

is to improve network security by minimizing the rate of false positive alarms. This system consists of two major

phases, as well as various sub-phases. The first phase involves removing duplicated alerts by applying a new filtering

algorithm which has been prepared for this purpose. The aim of the second phase is to reduce false alerts

by eliminating the redundant alerts; this is achieved by applying association rules and mining frequent itemset

algorithms. This system is evaluated and tested by using five weeks of data from the DARPA 99 dataset. The results

show that this system significantly reduces the number of FP alarms by 97.98%. These results also demonstrate

the system’s substantial ability to reduce the very large number of false alarms related to IDSs.

Özet

Saldırı Tespit Sistemleri (IDS), bilgisayar ağları tarafından karşılaşılan tehditleri (kötü amaçlı yazılımlar ve siber saldırılar

gibi) ele almaya gelince en iyi ve etkili tekniklerdir; Gerçekten de, bu sistemler 20 yıldan fazla kullanılmaktadır. Bununla

birlikte, bu sistemler çok sayıda uyarı üretir; bunların büyük bir yüzdesi yanlış veya yanlıştır. Bu sorun, ağ güvenliğinin

performansını ve etkililiğini olumsuz olarak etkiler. Bu yazıda, çoğaltılmış ve gereksiz IDS uyarılarını ortadan

kaldırmak için yeni bir sistem öneriyoruz; genel amaç, yanlış pozitif alarm oranını en aza indirerek ağ güvenliğini arttırmaktır.

Bu sistemin yanı sıra çeşitli alt safhalar olmak üzere iki ana safhadan oluşur. Birinci aşamada, bu amaçla hazırlanmış

yeni bir filtreleme algoritması uygulayarak çoğaltılan uyarıların kaldırılması gerekir. İkinci aşamada hedef,

gereksiz uyarıları ortadan kaldırarak yanlış uyarıları azaltmaktır; bu ilişki kurallarını uygulayarak ve sık öğe seti algoritmalarını

kullanarak gerçekleştirilir. Bu sistem, DARPA 99 veri kümesindeki beş haftalık verileri kullanarak değerlendirilir

ve test edilir. Sonuçlar, bu sistemin FP alarm sayısını% 97.98 oranında önemli ölçüde düşürdüğünü göstermektedir.

Bu sonuçlar, aynı zamanda, sistemin IDS’lerle ilgili çok sayıda yanlış alarmı azaltma kabiliyetini de göstermektedir

Anahtar Kelimeler

Threat Degree of Alerts, Alert Evaluation, Network Security, IDSs, False Positive (FP) Alert, Ağ Güvenliği, IDS, Tehditler Derece Uyarıları

Kaynakça

• McAfee Labs (2013). McAfee Labs Threats Report. available in “https://www.mcafee.com/us/resources/ reports”
• Julisch, K. Dealing with false positives in intrusion detection. available in “ http://www.raid-symposium. org/”, 2000.
• Axelsson, S. 1999. The base-rate fallacy and its implications for the difficulty of intrusion detection. In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security, 1–7, New York, NY, USA. ACM.
• Manganaris, S., Christensen, M., Zerkle, D., & Hermiz, K. 2000. A data mining analysis of rtid alarms. Comput. Netw., 34(4), 571–577.
• Julisch, K. (2003). Using root cause analysis to handle intrusion detection alarms PhD thesis, University of Dortmund (2003).
• Pietraszek, T., ”Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection,” Recent Advances in Intrusion Detection: 7th International Symposium RAID 2004, pp. 102-124, September 2004.
• Tjhai G. C. (2011). Anomaly-Based Correlation of IDS Alarms, PhD thesis, The University of Plymouth, UK.
• Magi, F., Matteucci, M. & Zanero, S. (2009). Reducing false positives in anomaly detectors through fuzzy alert aggregation, Information Fusion. 10,300-311.
• Adnan, A. H. (2009). Multithreaded scalable matching algorithm for intrusion detection system. University Sains Malaysia, PhD Thesis.
• El-Taj, H., Abouabdalla, O., Manasrah, A., Al-Madi, A., Sarwar, M.I., & Ramadass, S. (2010). Forthcoming aggregating intrusion detection system alerts framework. In Emerging Security Information Systems and Technologies (SECURWARE), 2010 Fourth International Conference. 40-44. IEEE.
• Alshammari, R., Sonamthiang, S., Teimouri, M., & Riordan, D. (2007). Using Neuro-Fuzzy Approach to Reduce False Positive Alerts, Communication Networks and Services Research, 2007. CNSR ‘07. Fifth Annual Conference on, 345-349. Doi:10.1109/CNSR.2007.70
• Elshoush & Osman. (2011). Alert correlation in collaborative intelligent intrusion detection system-A survey . Applied Soft Computing Journal, 11, 4349-4365.
• Hackmageddon.com, _Cyber attacks statistics,_ http://hackmageddon.com/2013-cyber-attacks-statistics/, Aug 2013.
• Al-Mamory, S. O. & Zhang, H. (2010). New data mining technique to enhance IDS alarms quality, Journal in computer virology, Vol. 6, No. 1,43-55. Doi:10.1007/s11416-008-0104-2.
• Mohiuddin Ahmed, Abdun Naser Mohmood, “Network Traffic Analysis based on Collective Anomaly Detection” 9th Conference on Industrial Electronics and Application ICIEA, 2014 IEEE,PIN: 978-1- 4799-4315-9/14.
• Lippmann, R.,J. W. Haines, et al. (2000a).” The 1999 DRPA off-line intrusion detection evaluation”, Computer Networks-the International Journal of Computer and Telecommunications Networking 34(4): 579-595.
• Lars Schmidt-Thieme, “Algorithmic Features of Eclat” Conference: FIMI’04, Proceedings of the IEEE ICDM Workshop on Frequent Itemsets Mining Implementation, Brighton, UK, November 1, 2004.
• Khanchi, s.,& Adibnia, F.(2002). False alert reduction on network-based intrusion detection system by means of feature frequencies. Advances in Computing , Control, & Telecommunication Technologies, 2009. ACT ‘09. International conference on vol., no., 513,516,28-29 Dec.2009. doi: 10.1109/ACT. 2009.221
• Kardi Teknomo. K-Means Clustering Tutorials. 2007”.http:\\people.revoledu .com\kardi\ tutorial\ kMean\”
• Lior Rokach and Oded Maimon, Data Mining and Knowledge Discovery Handbook, Tell-Aviv University, 2005, pp 321-349.SPIN 11053125,11411963.