Jie Ma,Zhitang Li,Bingbing Wang

DOI: https://doi.org/10.4304/jcp.6.8.1715-1722

2011-01-01

Abstract:Intrusion detection systems typically create a large volume of alarms and most of them are false alarms that can be seen as background noises caused by normal system behaviors. Manual analysis of a large number of alarms is both time consuming and labor intensive. This study focuses on the statistical analysis of the alarm flow. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the structure of alarm flow can be composed by leading components (normal components) and residual components (abnormal components). Only changes in abnormal components are worth of further study to confirm whether they are true or false alarm. To achieve this goal, an SSA-based anomalies detection algorithm was implemented and applied to catch anomalous changes in residua components, and thus interesting alarms were highlighted and noises were filtered out. Compared with detection approaches using stationary models, our SSA-based method can well deal with the non-stationary natures inherent in the alarm flow. Evaluation results from real network data show a significant increase in model accuracy, and more efficient filtering of alarm noise.

Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Zehua Ren,Yang Liu,Huixiang Liu,Baoxiang Jiang,Xiangzhen Yao,Lin Li,Haiwen Yang,Ting Liu

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798168

2022-01-01

Abstract:Traditional intrusion detection systems often deal with massive alarms based on specific filtering rules, which is complex and inexplicable. In this demo, we developed a network security situation awareness (NSSA) system based on the spatio-temporal correlation of alarms. It can monitor the security situation from the temporal dimension and discover abnormal events based on the time series of alarms. Also, it can analyze alarms from the spatial dimension on the heterogeneous alarm graph and handle alarms in batches of events. With this system, system operators can filter most irrelevant alarms quickly and efficiently. The rich visualization of alarm data could also help find hidden high-risk attack behaviors.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Xuejiao Liu,Yingjie Xia,Yanbo Wang,Jing Ren

DOI: https://doi.org/10.1002/sec.855

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:A challenge faced by many system administrators in utilizing the intrusion detection system (IDS) is to sift out genuine alerts buried with overwhelming alerts of benign activities generated by the IDS, especially for IDS deployed in large networks. Existing methods propose to identify the real alerts to aid the administrators. In our paper, we extend the idea of filtering irrelevant alerts based on alert volumes. And we formulate the flow estimation of abrupt changes in feature distribution caused by anomalies, by computing Kullback-Leibler distance of alert feature values under observation in comparison with a reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by administrators. Experimental studies on the Defense Advanced Research Projects Agency dataset as well as real-life data gathered from the IDS of a large network show that our method is able to distinguish and highlight genuine anomalies arising from the tremendous number of intrusion alerts, including different kinds of attacks and network failures. Application of this technique to alerts greatly helps the administrators in identifying real alerts and then reduces the alert load in the future. Copyright (C) 2013 John Wiley & Sons, Ltd.

Yongwei Meng,Tao Qin,Yukun Liu,Chao He

DOI: https://doi.org/10.1109/access.2018.2823724

IF: 3.9

2018-01-01

IEEE Access

Abstract:Security equipment such as intrusion prevention system is an important supplementary for security management. They reduce the difficulty of network management by giving alarms corresponding to different attacks instead of raw traffic packet inspection. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threating alarms from the massive alarm logs, and aim to provide fundamental and useful information for administrators to design efficient management policy. First, the alarms are divided into two parts based on their attributes, the first part mainly includes several kinds of famous attacks which are critical for security management, we proposed a similar alarm mining method based on Choquet integral to cluster and rank the frequently occurred attacks. The rest alarms constitute the second part, which are caused by the potential threats attacks, also include many false alarms. To reduce the effect of false alarms and rank the potential threats, we employ the frequent pattern mining algorithm to mine correlation rules and then filter false alarms. Following, we proposed a self-adapting threat degree calculation method to qualify the threat degree of these alarms after filtering. To verity the methods developed, an experimental platform is constructed in the campus network of Xi'an Jiaotong University. Experimental results based on the data collected verify the efficiency of the developed methods. For the first kind of alarms, the similar alarms mining accuracy is higher than 97% and the alarms are ranked with different processing urgencies. For the rest alarms, the proposed methods have filtering accuracy above 80% and can rank the potential threats. Based on the ranking results, administrators can deal with the high threats with their limited time and energy, in turn, keep the network under control.

Jie Ma,Zhitang Li,Weiming Li

DOI: https://doi.org/10.1109/FSKD.2008.522

2008-01-01

Abstract:Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.

Yongwei Meng,Tao Qin,Yukun Liu,Chao He

DOI: https://doi.org/10.1109/iscc.2018.8538535

2018-01-01

Abstract:Intrusion Prevention System (IPS) is important for network security management as it can help the administrator by generating alarms corresponding to different attacks. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threat alarms from raw massive logs. We first divide the raw alarms into two parts based on their attributes, the first part mainly include alarms from several kinds of serious attacks while others constitute the second part. To mine high threat alarms from the first part, we proposed a similar alarm mining method based on Choquet Integral to cluster and rank the results of clustering. The potential threats are mixed with many false alarms in the second part, to reduce effect from false alarms, we employ the frequent pattern mining algorithm to mine correlation rules and employ them to filter the false alarms. Following we qualify the threat degree of those alarms based on the features extracted from characteristics of alarms themselves. Experimental results based on the data collected from the campus network of Xi’an Jiaotong University verify the efficiency and accuracy of the developed methods. Based on the mining and ranking results, administrators can deal with the high threats with their limited time and energy to keep the network under control.

GUO Shize,ZHANG Fan,SONG Zhuoxue,ZHAO Ziming,ZHAO Xinjie,WANG Xiaojuan,LUO Xiangyang

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004

2022-01-01

Abstract:Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Tao Ding,Ahmed AlEroud,George Karabatis

DOI: https://doi.org/10.1109/ISI.2015.7165965

2015-01-01

Abstract:Investigating network flows is an approach of detecting attacks by identifying known patterns. Flow statistics are used to discover anomalies by aggregating network traces and then using machine-learning classifiers to discover suspicious activities. However, the efficiency and effectiveness of the flow classification models depends on the granularity of aggregation. This paper describes a novel approach that aggregates packets into network flows and correlates them with security events generated by payload-based IDSs for detection of cyber-attacks.

Rahul Adhao,Vinod Pachghare

DOI: https://doi.org/10.47164/ijngc.v13i4.455

2022-11-18

INTERNATIONAL JOURNAL OF NEXT-GENERATION COMPUTING

Abstract:In today's high-speed network, the existing Intrusion Detection System (IDS) approaches experience more false alarm rates with low detection capability. Nowadays, IDS needs to analyze a considerable amount of data. The larger the amount of data results in the longer the time to analyze it, which delays attack detection. The IDS usability is defined as its capability to trigger an alarm early enough to minimize the damage that an ongoing attack can cause and provide a reduced range of warning (false alarm). These underline the necessity of feature selection in IDS to identify the informative features and overlook the irrelevant or redundant features that affect the IDS's detection rate and computational complexity. It implies that anticipating an ideal number of features from a flow-based intrusion dataset can improve IDS accuracy. Therefore, this paper proposes an ensemble of a bio-inspired algorithm (Krill Herd Algorithm) with statistical measures (Information Gain) to select optimal features for a flow-based IDS. This ensemble technique has shown improvement in the detection rate, decreases the false alarm rate, and reduces the computation time of the IDS.

Fan Yang,Cen Guo

DOI: https://doi.org/10.1109/adconip.2017.7983850

2017-01-01

Abstract:Alarm management, as a topic of significant interest in both academia and industry, has a lot of unsolved open problems. In particular, univariate monitoring techniques can only handle fundamental problems, such as alarm chattering and bad actors, and yet they cannot meet all the requirements in practice to provide accurate information and guide to operators. For this purpose, we need to incorporate techniques developed in related areas to build a multivariate framework, which is the novel and advanced alarm strategy. Existing and developing methods are summarized in this paper, especially data-based methods, including the strategies based on multivariate statistics, performance deterioration, pattern matching in alarm floods, fault propagation, and risk assessment. Each method utilizes different type of information and has its own scope of application. Such methods shed some light on the future development of advanced alarm management.

Yunfan Yang,Xinyu Yang,Hao Huang,Shilong Zhang,Qinqin Wu,Yanan Li,Zhenwei Gu,Yang Liu

DOI: https://doi.org/10.1109/icnsc62968.2024.10760156

2024-01-01

Abstract:The advent of big data and cloud computing has ushered in a new era of complexity in cybersecurity. Analysis of network security situations has emerged as a pivotal aspect of safeguarding networks. However, with the escalating volume of alarms and the enhancement of attack techniques, the task of network security analysis has grown increasingly daunting. The power system faces numerous challenges in defending its information security, including analyzing vast amounts of data, mining alarm correlations, and detecting high-risk alarms. In this paper, we propose a long-periodicity detection method for alarms over a long time span, aiming to reduce the number of false alarms. Experimental results on real datasets have demonstrated that we can effectively detect long-period alarms over a long time span. This can enhance the understanding of the overall network security situation and help staff pinpoint high-risk alarms with real threats.

Lin Yang,Liu Guiquan,Yang Lishen

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.057

2006-01-01

Abstract:Frequent alarms and high false rate are nearly unavoidable in intrusion detection. For the situation, a method of alarm deviation analysis in intrusion detection is proposed in this article. It not only mitigates the impact of frequent alarms but also minimizes the effect of false alarms through integrative evaluation. The testing result shows the effectiveness of the method.

Xu Yang,Yuqing Yin,Pengpeng Chen,Qiang Niu

DOI: https://doi.org/10.1109/tvt.2020.3010645

IF: 6.8

2020-01-01

IEEE Transactions on Vehicular Technology

Abstract:Security has always been a hot issue of concern. Most of today's home security systems are based on cameras or sensors. These systems have challenges, such as involving in users' privacy and high initial cost, so they are not highly popular. In order to resolve these challenges, a single commodityWi-Fi device is utilized to design a device-free intelligent alarm system. The proposed system relies on the cooperation of active and passive alarm modules so that the user is not required to wear any sensor. In the active alarm module, a novel algorithm is proposed to identify the user's tiny help-seeking action (e.g.special breath) using channel state information (CSI). Moreover, the passive alarm module employs the CSI-based prospect detection to identify the physical attack behavior. The proposed system uses the invisible Wi-Fi signal to identify the people's motion. Then, it uses the results of the activity recognition to identify the dangerous event, which has the characteristic of the concealment. A large number of experiments are carried out in the present study to investigate the accuracy and robustness of the proposed system. It is found that the average accuracy of the system identification is over 95%.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Taotao Ma,Jinxing Xiao,Jingqi Xu,Chuangxin Guo,Bin Yu,Shaohua Zhu

DOI: https://doi.org/10.1007/978-3-642-21697-8_22

2011-01-01

Abstract:In power grids, a severe fault often leads to several consequent alarms which is called alarm cascade phenomenon. This paper presents a novel method to handle the alarm cascade generated on the energy manage system (EMS) computers of power grids. The method consists of a multi-level flow model (MFM) and heuristic rules, in which the MFM is used to present the relationships between different alarm events while the heuristic rules are employed to pretreat the alarm events, perform message synthesis and indicate the cause of alarm cascade. The method can overcome the disadvantages of the traditional rule-based alarm processing solutions based on limited human experience or need additional training work to generate rules. Also MFMs are geographic modeling languages which do not involve complex calculation. Furthermore the proposed method has been evaluated via the simulation studies which are undertaken based on 2-substation system, IEEE 9-bus, 14-bus and 39-bus system respectively.