LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

Fu Xiao,Shi Jin,Xie Li

DOI: https://doi.org/10.4304/jnw.5.1.88-97

2010-01-01

Abstract:Current system managers often have to process huge amounts of alerts per day, which may be produced by all kinds of security products, network management tools or system logs. This has made it extremely difficult for managers to analyze and react to threats and attacks. So an effective technique which can automatically filter and analyze alerts has become urgent need. This paper presents a novel method for handling IDS alerts more efficiently. It introduces a new data mining technique, outlier detection, into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives (i.e. alerts that are triggered incorrectly by benign events). This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a three-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method can help managers analyze the root causes of false positives. And our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. Through the experiments on DARPA 2000, we have proved that our model can effectively reduce false positives. And on real-world dataset, our model has even higher reduction rate. By comparing with other alert reduction methods, we believe that our model has better performance.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Fu Xiao,Xie Li

DOI: https://doi.org/10.1109/npc.2008.26

2008-01-01

Abstract:Intrusion detection systems (IDSs) can easily create thousands of alerts per day, up to 99% of which are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to analyze and react to attacks. This paper presents a novel method for handling IDS alerts more efficiently. It introduces outlier detection technique into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives. This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a two-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. And the experiments on DARPA 2000 and real-world data have proved that this model has high performance.

Gang Yang,Chaojing Tang,Xingtong Liu

DOI: https://doi.org/10.3390/sym14102138

2022-10-14

Symmetry

Abstract:The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC2NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

Sajad Homayoun,Magnea Haraldsdóttir,Emil Lynge,Christian D. Jensen

DOI: https://doi.org/10.3390/s24206547

IF: 3.9

2024-10-12

Sensors

Abstract:Noise (un-important) alerts are generally considered a major challenge in intrusion detection systems/sensors because they require more analysts to review and may cause disruption to systems that are shut down to avoid the consequences of a compromise. However, in real-world situations, many alerts could be raised for automatic tasks being completed by some software or regular tasks by users doing their daily job. This paper proposes an approach to reduce the number of noise alerts, assuming that frequent long-term security alerts can be considered noise if their frequency is meeting some criteria, such as the minimum occurrence ratio. We prove that to effectively reduce the level of noise alerts in Network Detection and Response (NDR) systems, we are able to use simpler algorithms; sometimes, the answer is in simpler solutions, and not always in complex solutions. We study data from a real customer of a Danish NDR solution and propose an Apriori-based approach to find frequent noisy alerts. Our comparison of the detected noise before and after applying our solution shows high performance in reducing noise alerts for most of the alert types for a real customer. Our experiments show that our method can filter more than 40% of the alerts by setting the minimum occurrences to 70%. Moreover, our results show that we were able to filter out more than 90% for some alert categories.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Taining Zhang,Yihan Xiao,C. Xing,Zhongkai Zhao

DOI: https://doi.org/10.1109/ACCESS.2019.2904620

IF: 3.9

2019-03-12

IEEE Access

Abstract:With the popularity and development of network technology and the Internet, intrusion detection systems (IDSs), which can identify attacks, have been developed. Traditional intrusion detection algorithms typically employ mining association rules to identify intrusion behaviors. However, they fail to fully extract the characteristic information of user behaviors and encounter various problems, such as high false alarm rate (FAR), poor generalization capability, and poor timeliness. In this paper, we propose a network intrusion detection model based on a convolutional neural network–IDS (CNN–IDS). Redundant and irrelevant features in the network traffic data are first removed using different dimensionality reduction methods. Features of the dimensionality reduction data are automatically extracted using the CNN, and more effective information for identifying intrusion is extracted by supervised learning. To reduce the computational cost, we convert the original traffic vector format into an image format and use a standard KDD-CUP99 dataset to evaluate the performance of the proposed CNN model. The experimental results indicate that the AC, FAR, and timeliness of the CNN–IDS model are higher than those of traditional algorithms. Therefore, the model we propose has not only research significance but also practical value.

Engineering,Computer Science

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

N. D. Patel,B. M. Mehtre,Rajeev Wankar

DOI: https://doi.org/10.1007/s10207-023-00792-x

2024-04-26

International Journal of Information Security

Abstract:An intrusion detection system (IDS) is a system that monitors network traffic for malicious activity and generates alerts. In anomaly-based detection, machine learning (ML) algorithms exploit various statistical and probabilistic methods to learn from past or historical experience and detect valuable patterns from large, unstructured, and complex datasets. ML-based network intrusion detection aims to identify malicious behavior and alert a system administrator when an intruder tries to penetrate the network. This paper deals with the study, strategic construction, and implementation of a network intrusion detection model based on ML methods. Among the available IDS datasets, five of the most relevant are chosen for the experimental analysis, which are NSL-KDD-2009, CIC-IDS2017, CIC-IDS2018, IoTID20, and UNSW-NB15 datasets. In order to reduce the computation time in the training sample and achieve computational complexity , we propose a computationally efficient and feasible algorithmic framework for analyzing the network traffic data. The developed approach mainly consists of two phases, i.e., "Scatter Matrices and Eigenvalue Computation based feature Selection" and "Classification procedure for the reduced dimension data." Experimental evaluation of various test case scenarios for the chosen datasets is carried out in the simulation setting. It is observed that the test results outperform the existing intrusion detection methods for detecting certain attack categories.

computer science, information systems, theory & methods, software engineering

Xuejiao Liu,Yingjie Xia,Yanbo Wang,Jing Ren

DOI: https://doi.org/10.1002/sec.855

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:A challenge faced by many system administrators in utilizing the intrusion detection system (IDS) is to sift out genuine alerts buried with overwhelming alerts of benign activities generated by the IDS, especially for IDS deployed in large networks. Existing methods propose to identify the real alerts to aid the administrators. In our paper, we extend the idea of filtering irrelevant alerts based on alert volumes. And we formulate the flow estimation of abrupt changes in feature distribution caused by anomalies, by computing Kullback-Leibler distance of alert feature values under observation in comparison with a reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by administrators. Experimental studies on the Defense Advanced Research Projects Agency dataset as well as real-life data gathered from the IDS of a large network show that our method is able to distinguish and highlight genuine anomalies arising from the tremendous number of intrusion alerts, including different kinds of attacks and network failures. Application of this technique to alerts greatly helps the administrators in identifying real alerts and then reduces the alert load in the future. Copyright (C) 2013 John Wiley & Sons, Ltd.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Xiaoyu Wang,Xiaobo Yang,Xueping Liang,Xiu Zhang,Wei Zhang,Xiaorui Gong

DOI: https://doi.org/10.1016/j.cose.2023.103583

IF: 5.105

2024-02-01

Computers & Security

Abstract:Alert fatigue problems can have serious consequences for the enterprise security. When analysts become overwhelmed by the sheer number of alerts, high-risk alerts may go unnoticed or receive delayed responses, exposing the organization to potential cyber threats or data breaches. While current research on alert triage primarily concentrates on reducing false positives, analysts still face a shortage of resources to investigate all true alerts. The key to resolving this issue lies in the prioritization of alerts based on their potential severity, allowing analysts to allocate their efforts effectively. This paper introduces AlertPro, an alert prioritization framework that facilitates the alert triage and validation stage of typical SOC workflow. The AlertPro framework extracts context features from alert sequences and history features from alerts previously investigated by analysts, besides basic features from raw alert data. By presenting analysts with only the top-ranked potentially high-risk alerts in each query and continually updating these rankings based on feedback, AlertPro significantly streamlines the alert investigation process. To evaluate AlertPro, we conducted experiments on five datasets that are chosen or prepared specifically because they all include multi-step attacks. The results reveal that AlertPro is able to discover a previously undisclosed attack concealed within the public dataset iscx, illustrating its potential in enhancing security posture. We also evaluate the feature importance in anomaly detection and conclude that employing context features yields better performance over basic features. The paper also explores the effectiveness of incorporating history features in active learning, achieving an average improvement of 30% in attack discovery rates. The processing time of AlertPro for re-ranking and selecting high-risk alerts is within 0.5 seconds, indicating that AlertPro can effectively work in real-time scenarios. AlertPro is limited to only using partial feedback and can be improved by incorporating richer feedback from experts. Overall, AlertPro mitigates alert fatigue, enabling security analysts to concentrate their efforts on high-priority threats.

computer science, information systems

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Max Landauer,Florian Skopik,Markus Wurzenberger

2023-08-24

Abstract:Intrusion detection systems (IDS) reinforce cyber defense by autonomously monitoring various data sources for traces of attacks. However, IDSs are also infamous for frequently raising false positives and alerts that are difficult to interpret without context. This results in high workloads on security operators who need to manually verify all reported alerts, often leading to fatigue and incorrect decisions. To generate more meaningful alerts and alleviate these issues, the research domain focused on multi-step attack analysis proposes approaches for filtering, clustering, and correlating IDS alerts, as well as generation of attack graphs. Unfortunately, existing data sets are outdated, unreliable, narrowly focused, or only suitable for IDS evaluation. Since hardly any suitable benchmark data sets are publicly available, researchers often resort to private data sets that prevent reproducibility of evaluations. We therefore generate a new alert data set that we publish alongside this paper. The data set contains alerts from three distinct IDSs monitoring eight executions of a multi-step attack as well as simulations of normal user behavior. To illustrate the potential of our data set, we experiment with alert prioritization as well as two open-source tools for meta-alert generation and attack graph extraction.

Cryptography and Security

Wajih Ul Hassan,Shengjian Guo,Ding Li,Zhengzhang Chen,Kangkook Jee,Zhichun Li,Adam Bates

DOI: https://doi.org/10.14722/ndss.2019.23349

2019-01-01

Abstract:Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a "threat alert fatigue" or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NoDozE to combat this challenge using contextual and historical information of generated threat alert. NoDozE first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDozE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated NoDozE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that NoDozE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts' more than 90 hours of investigation time per week. NoDozE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Taotao Liu,Yu Fu,Kun Wang,Xueyuan Duan,Qiuhan Wu

DOI: https://doi.org/10.1016/j.cose.2024.104173

IF: 5.105

2024-10-30

Computers & Security

Abstract:As an important network defense approach, network intrusion detection is mainly used to identify anomaly traffic behavior. However, dominant network intrusion detection approaches are now struggling to identify the complex and variable means of attack, leading to high false alarm rate. Additionally, the feature redundancy and class imbalance problem in the intrusion detection dataset also constrain the performance of detection methods. This paper proposes a multiscale intrusion detection approach based on variance–covariance subspace distance and Equalization Loss v2 (EQL v2). Firstly, the variance–covariance subspace distance is used for feature selection on the preprocessed dataset to determine a set of representative feature subsets that can effectively approximate the original feature space. Secondly, the loss function, EQL v2, is adopted to balance the positive and negative gradients, addressing the class imbalance problem. Finally, a pyramid depthwise separable convolution model is proposed to capture the multiscale information of the traffic, and the convolutional layer in the depthwise convolution is replaced with self-supervised predictive convolutional attention block to compensate for the performance loss caused by the parameter reduction. Extensive experiments demonstrated that the proposed approach exhibits better performance on the three datasets of NSL-KDD, UNSW_NB15, and CIC-IDS-2017, with accuracy rates of 99.19%, 97.81%, and 99.83%, respectively, effectively improve the intrusion detection performance.

computer science, information systems