Citation Context

...erts that are generated by multiple IDSs are collected and stored in a database before they are modeled and converted into a standard format called Intrusion Detection Message Exchange Format (IDMEF) =-=[8]-=-. Then data preprocessing is required in order to clean the data, do feature extraction and selection, and finally deal with any incomplete or missing data [9][10][11][12]. The filter-based correlatio...

Citation Context

...multi-scan attacks were observed. Tables IV and V show the reduction rates. DMZ in scenario 2.0.2 shows a great RR as is expected being a multistage attack scenario. • Shushing the Alerts As shown in =-=[18]-=-, alert correlation can be used to differentiate between false and true alerts. False alerts and unreal alarms tend to be more random than actual alerts, and are less likely to be correlated. Thus, ba...

Citation Context

...tacks, hence can be used to trace an attack to its source. The core of this process consists of components that implement specific function, which operate on different spatial and temporal properties =-=[5]-=-. The correlation components are effective in achieving alert reduction and abstraction. Research shows that the effectiveness of each component depends heavily on the nature of the data set analyzed ...

Citation Context

...f this component is to identify high-level attack patterns that are composed of several individual attacks. The high-level patterns are usually specified using some form of expert knowledge [2][5][17]=-=[19]-=-. Relying on the information in [20], attack patterns are identified, and used to implement this component resulting in Table VII. 4) Intention Recognition: Intention or plan recognition is the proces...

Citation Context

...oration among them [22]. Also Depren et al. proposed a novel IIDS architecture utilizing both anomaly and misuse detection approaches, together with a decision support system to combine their results =-=[23]-=-. In the same year, Zhang et al. suggested a distributed IDS based on Clustering with unlabeled data [24]. Later in that year, Katti et al. presented the first wide-scale study of correlated attacks, ...

Citation Context

...iew of the monitored network. They may cooperate to complement each other’s coverage. Even when different detection methods are used, they analyze each other’s alerts and reduce false positive alerts =-=[1]-=-[2]. It has been proven by many researchers that collaborative approaches are more powerful and give better performance over individual approaches. In fact, the use of complementary IDSs is a promisin...

Citation Context

...data [24]. Later in that year, Katti et al. presented the first wide-scale study of correlated attacks, and their results showed that collaborating IDSs need to exchange alert information in realtime =-=[25]-=-. Sadoddin and Ghorbani showed an overall view of the applied techniques which have been used for different aspects of correlation. The techniques were presented in the context of a comprehensive corr...

Citation Context

...A) International Journal of Advanced Computer Science and Applications,sSpecial Issue on Extended Papers from Science and Information Conference 2014sand memory addresses for a buffer overflow) [5][6]=-=[17]-=-. The alert fusion component method, see algorithm 1 below, keeps a sliding timewindow of alerts. The alerts within the timewindow are stored in a time-ordered queue. When a new alert arrives, it is c...

Citation Context

...-level attack patterns that are composed of several individual attacks. The high-level patterns are usually specified using some form of expert knowledge [2][5][17][19]. Relying on the information in =-=[20]-=-, attack patterns are identified, and used to implement this component resulting in Table VII. 4) Intention Recognition: Intention or plan recognition is the process of inferring the goals of an intru...

Citation Context

...ence and Applications,sSpecial Issue on Extended Papers from Science and Information Conference 2014scomplementary to each, the pros and cons of the techniques were described from their point of view =-=[26]-=-. From the analysis in [13], researchers propose an improved solution for an alert correlation technique based on six capabilities criteria identified which are capabilities to perform alert reduction...

Citation Context

... misuse detection approaches, together with a decision support system to combine their results [23]. In the same year, Zhang et al. suggested a distributed IDS based on Clustering with unlabeled data =-=[24]-=-. Later in that year, Katti et al. presented the first wide-scale study of correlated attacks, and their results showed that collaborating IDSs need to exchange alert information in realtime [25]. Sad...

Citation Context

...Ghorbani proposed a framework for realtime alert correlation which incorporates novel techniques for aggregating alerts into structured patterns and incremental mining of frequent structured patterns =-=[27]-=-. In [28], Taha et al presented an agent-based alert correlation model. A learning agent learns the nature of dataset to select which components to be used and in which order. They proved that their m...

Citation Context

... of the monitored network. They may cooperate to complement each other’s coverage. Even when different detection methods are used, they analyze each other’s alerts and reduce false positive alerts [1]=-=[2]-=-. It has been proven by many researchers that collaborative approaches are more powerful and give better performance over individual approaches. In fact, the use of complementary IDSs is a promising t...

Citation Context

... and used to implement this component resulting in Table VII. 4) Intention Recognition: Intention or plan recognition is the process of inferring the goals of an intruder by observing his/her actions =-=[21]-=-. It deduces strategies and objectives of attackers based on attack scenarios that are output by correlation systems. Failed attacks can be useful to know so to be avoided in the future. Using alert c...

Citation Context

...alert correlation, which is a process that contains multiple components with the purpose of analyzing alerts and providing high-level insight view on the security state of the network surveillance [1]=-=[3]-=-[4]. Correlation aims to relate a group of alerts to build a big picture of the attacks, hence can be used to trace an attack to its source. The core of this process consists of components that implem...

Citation Context

...e parts: Collaborative Alert Aggregation, Knowledge-based Alert Evaluation and Alert Correlation to cluster and merge alerts from multiple IDS products to achieve an indirect collaboration among them =-=[22]-=-. Also Depren et al. proposed a novel IIDS architecture utilizing both anomaly and misuse detection approaches, together with a decision support system to combine their results [23]. In the same year,...

Citation Context

... e (IJACSA) International Journal of Advanced Computer Science and Applications,sSpecial Issue on Extended Papers from Science and Information Conference 2014sFig. 1: The Innovative Correlation Model =-=[7]-=-. alerts equally. Instead, it is necessary to have a set of components that focus on different aspects of the overall correlation task. Some components, see Fig.1, e.g. those at the initial and second...

Citation Context

...ction Message Exchange Format (IDMEF) [8]. Then data preprocessing is required in order to clean the data, do feature extraction and selection, and finally deal with any incomplete or missing data [9]=-=[10]-=-[11][12]. The filter-based correlation unit either assigns a priority to each alert or identifies irrelevant alerts. Thus, alerts are ranked based on their severity level in order to distinguish betwe...

Citation Context

...ten in C#, Microsoft Visual Studio 2010, were created to implement the correlation components’ functionalities. The alert log files generated by RealSecure IDS of the DARPA simulation network is used =-=[14]-=- in eight experiments, which are explained in the next section. A. Experiments on DARPA 2000 Datasets DARPA 2000 [15] is a well-known IDS evaluation dataset created by the MIT Lincoln Laboratory. It c...

Citation Context

...ate, hence uncorrelated alerts are removed by shushing the alerts component. Lastly, multi-step correlation, is expected to achieve substantial improvement in the abstraction level and data reduction =-=[13]-=-. In this component, priori information of the network topology, known scenarios, etc are provided by the expert knowledge DB; hence high level patterns are specified. In the intention recognition com...

Citation Context

...lert log files generated by RealSecure IDS of the DARPA simulation network is used [14] in eight experiments, which are explained in the next section. A. Experiments on DARPA 2000 Datasets DARPA 2000 =-=[15]-=- is a well-known IDS evaluation dataset created by the MIT Lincoln Laboratory. It consists of two multistage attack scenarios, namely Lincoln Laboratory DoS Data Sets Scenario (LLDOS) 1.0 and LLDOS 2....

Citation Context

... they will have negative impact on the correlation result, and moreover the number of processed alerts will be greatly reduced. • Prioritization The ranking/priority of alerts of LLDOS scenarios from =-=[16]-=- is used. Thus low risk alerts are discarded, and only the medium and high risk alerts are sent to the next component. Table II shows the implementation results. • Alert Verification This requires tha...

Citation Context

...proposed a framework for realtime alert correlation which incorporates novel techniques for aggregating alerts into structured patterns and incremental mining of frequent structured patterns [27]. In =-=[28]-=-, Taha et al presented an agent-based alert correlation model. A learning agent learns the nature of dataset to select which components to be used and in which order. They proved that their method ach...

Citation Context

...ssification of alerts based on their alert metrics; and Stage 3 involves correlation of alerts in order to reduce the redundant and isolated alerts as well discover the causal relationships in alerts =-=[31]-=-. In the same month, Soleimani and Ghorbani took a different view and consider alert correlation as the problem of inferring an intruder’s actions as alert patterns that are constructed progressively....

Citation Context

... number of discovered patterns while more than 95% of final patterns were actual patterns. Furthermore, their rule prediction capability showed a precise forecasting ability in guessing future alerts =-=[32]-=-. In July 2012, Amaral et al. presented an automated alarm correlation system composed of three layers, which obtains raw alarms and presents to network administrator a wide view of the scenario affec...

Citation Context

...rated by IDS. The clustering method was tested against two datasets; a globally used dataset, DARPA and a live dataset from a cyber attack monitoring unit that uses Snort engine to capture the alerts =-=[34]-=-. www.ijacsa.thesai.org 139 | P a g e (IJACSA) International Journal of Advanced Computer Science and Applications,sSpecial Issue on Extended Papers from Science and Information Conference 2014sV. CON...

Citation Context

...etection Message Exchange Format (IDMEF) [8]. Then data preprocessing is required in order to clean the data, do feature extraction and selection, and finally deal with any incomplete or missing data =-=[9]-=-[10][11][12]. The filter-based correlation unit either assigns a priority to each alert or identifies irrelevant alerts. Thus, alerts are ranked based on their severity level in order to distinguish b...

Citation Context

...n Message Exchange Format (IDMEF) [8]. Then data preprocessing is required in order to clean the data, do feature extraction and selection, and finally deal with any incomplete or missing data [9][10]=-=[11]-=-[12]. The filter-based correlation unit either assigns a priority to each alert or identifies irrelevant alerts. Thus, alerts are ranked based on their severity level in order to distinguish between t...

Citation Context

...ssage Exchange Format (IDMEF) [8]. Then data preprocessing is required in order to clean the data, do feature extraction and selection, and finally deal with any incomplete or missing data [9][10][11]=-=[12]-=-. The filter-based correlation unit either assigns a priority to each alert or identifies irrelevant alerts. Thus, alerts are ranked based on their severity level in order to distinguish between the h...

Citation Context

...igh risk alerts are processed. Ghorbani et al in [21] showed an overall view of the applied techniques which have been used for different components of an alert correlation framework. Meinel et al in =-=[29]-=- identified the data storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. They proposed and implemented the utilization of memo...

Citation Context

... They reviewed and compared different techniques for alert correlation. Their study finally proposes that a hybrid model of multiple techniques leads to better performance of alert correlation engine =-=[30]-=-. Early the following year, in April 2012, Njogu et al. proposed a comprehensive approach to address the shortcomings of the vulnerability based alert management approaches. They proposed a fast and e...

Citation Context

...work elements affected by the anomaly propagation. Moreover, the Anomaly Propagation View (APV) is presented, which is a graphical tool developed to provide a wide visualization of the network status =-=[33]-=-. Lately in September of the same year, Mohamed et al. constructed a holistic solution that is able to reduce the number of alerts to be processed and at the same time produced a high quality attack s...