AbstractsComputer Science

An Improved Framework for Collaborative Intrusion Alert Correlation

by Huwaida Tagelsir Ibrahim Elshoush

Institution: University of Khartoum
Department: Computer Science
Degree: Doctorate Degree
Year: 2013
Keywords: Alert Correlation; Collaborative Intrusion Detection; False Alarm Rate;
Posted: 01/23/2018
Record ID: 2150700
Full text PDF: http://khartoumspace.uofk.edu/handle/123456789/25985


Many of the weaknesses in traditional intrusion detection systems (IDSs) are due to the lack of collaborations among different detection mechanisms, and between intrusion detection and other network management operations and security mechanisms. Therefore, a collaborative intrusion detection system (CIDS) architecture is introduced. The focus in this thesis is on correlation of collaborative intelligent intrusion detection system (CIIDS) alerts. Automation of alert management and analysis is crucial because of the large number of alerts. Alert correlation analyzes the alerts from one or more collaborative intrusion detection systems and aims to relate different alerts to build a big picture of the attack, thus giving a high-level view of the network security status. The correlation process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequential order of the correlation components affects the correlation process performance. Moreover, the performance of the correlation process is significantly affected by the network topology, the characteristics of the attack and the available meta-data. Furthermore, the total time needed for the whole process depends on the number of processed alerts in each component. This thesis presents an innovative alert correlation framework that minimizes the number of processed alerts on each component and thus reducing the correlation processing time. By reordering the components, the introduced correlation model reduces the number of processed alerts as early as possible by discarding the irrelevant, unreal and false alerts in the early phases of the correlation process. A new component, shushing the alerts, is added to deal with the unrelated and false positive alerts. Any alert that is not correlated after being processed by a number of components is deliberately removed. An algorithm for this new component is presented. A modified algorithm for fusing the alerts is outlined. The intruders intention is grouped into attack scenarios and the expert knowledge database is hence updated frequently if needed. Thus, by updating the expert knowledge database, the attack scenarios can be used to detect future attacks. Therefore, by diverting more resources to deal with high risk/priority alerts to be correlated, the effectiveness of alert correlation is significantly improved. DARPA 2000 intrusion detection scenario specific datasets and a testbed network were used to evaluate the innovative alert correlation model. Comparisons with a previous correlation system were performed. The results of processing these datasets and recognizing the attack patterns demonstrated the potential of the improved correlation model and gave favorable results.