Decentralized multi-dimensional alert correlation for collaborative intrusion detection

The growth in coordinated network attacks such as scans, worms and distributed denial-of-service (DDoS) attacks is a profound threat to the security of the Internet. Collaborative intrusion detection systems (CIDSs) have the potential to detect these attacks, by enabling all the participating intrusion detection systems (IDSs) to share suspicious intelligence with each other to form a global view of the current security threats. Current correlation algorithms in CIDSs are either too simple to capture the important characteristics of attacks, or too computationally expensive to detect attacks in a timely manner. We propose a decentralized, multi-dimensional alert correlation algorithm for CIDSs to address these challenges. A multi-dimensional alert clustering algorithm is used to extract the significant intrusion patterns from raw intrusion alerts. A two-stage correlation algorithm is used, which first clusters alerts locally at each IDS, before reporting significant alert patterns to a global correlation stage. We introduce a probabilistic approach to decide when a pattern at the local stage is sufficiently significant to warrant correlation at the global stage. We then implement the proposed two-stage correlation algorithm in a fully distributed CIDS. Our experiments on a large real-world intrusion data set show that our approach can achieve a significant reduction in the number of alert messages generated by the local correlation stage with negligible false negatives compared to a centralized scheme. The proposed probabilistic threshold approach gains a significant improvement in detection accuracy in a stealthy attack scenario, compared to a naive scheme that uses the same threshold at the local and global stages. A large scale experiment on PlanetLab shows that our decentralized architecture is significantly more efficient than a centralized approach in terms of the time required to correlate alerts.     

通过关联报警重建攻击场景

论文提出一系列的技术来整合两种互补型的报警关联方法:基于报警属性之间的相似性(聚类关联),和基于攻击的因果关系(因果关联)。尤其是根据入侵报警间的因果关系和它们需要满足的等同约束关系来假设和推理可能被IDSs漏报的攻击,同时使用一定的方法来整理假设的攻击重建更简单更可信的攻击场景。     

入侵检测系统报警信息聚合与关联技术研究综述

报警的聚合与关联是入侵检测领域一个很重要的发展方向·阐述了研发报警聚合与关联系统的必要性通过对报警的聚合与关联可以实现的各项目标;重点讨论了现有的各种报警聚合与关联算法,并分析了各算法的特点;介绍了在开发入侵报警管理系统(IDAMS)中如何根据算法特点选择算法的原则;总结了现有聚合与关联系统的体系结构;简要介绍了IDMEF标准数据格式以及它在报警关联中的作用;最后,介绍了现有聚合与关联系统的发展现状,并提出了研发入侵报警聚合与关联系统所面临的重要技术问题和发展方向·     

基于层次的智能告警关联分析模型研究

入侵检测系统的广泛使用产生了许多告警信息流,这些告警事件信息流基本上都是基于低层的攻击步骤检测,且具有较大的误告警率;各种分布式攻击进一步加剧了入侵检测系统告警事件信息流的复杂性。研究介绍了关联分析的基本原因、关联分析的基本概念,然后提出智能化入侵检测关联分析层次模型。该模型从误告警验证和抑制,到一个攻击一个告警,再到一个攻击过程对应一个场景刻画,形成一个层次。在不同的层次上,防御者对攻击的视图越来越清晰,从而为响应措施提供了精确的决策依据,进一步提高了整个入侵检测系统的智能性和可用性。     

Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment

Internet is providing essential communication between an infinite number of people and is being increasingly used as a tool for commerce. At the same time, security is becoming a tremendously important issue to deal with. Different network security solutions exist and contribute to enhanced security. From these solutions, Intrusion detection systems (IDS) have become one of the most common countermeasures for monitoring safety in computer systems and networks. The purpose of IDSs is distinguishing between intruders and normal users. However, IDSs report a massive number of isolated alerts. These isolated alerts represent low-level security-related events. Many of these isolated alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. Another problem is that IDSs cannot work correctly with an environment managed with a NAT technique (Network Address Translation) since the host information (IP address and port number) are affected by the NAT devices. In order to address these limitations, the paper proposes a well-structured model to manage the massive number of isolated alerts and includes the NAT information in the IDS analysis. In fact, our solution permits to determine the real identities of entities implicated in security issues and abstracts the logical relation between alerts in order to support automatic correlation of those alerts involved in the same intrusion and to construct comprehensible attacks scenarios.     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

一种基于移动Agent的抗攻击性IDS模型

随着入侵检测系统(Inhusion Detection System——IDS)性能的逐步提高，攻击者往往在入侵目标网络之前攻击IDS，使其丧失保护功能。在当前常用的分布式入侵检测系统的基础上，提出了一种能够对抗拒绝服务(Denial of Service——DoS)攻击的IDS模型，并指出了将当前的分布式IDS转换成此模型的配置方法。     

一种基于警报数据关联的入侵检测系统模型

入侵检测是保障网络安全的重要手段。对入侵检测系统产生的警报信息进行关联分析已经成为改善入侵检测系统检测性能的一个重要的、实际可行的手段。本文提出了一种分布式入侵检测警报数据关联模型,模型通过警报数据聚类和高层事件关联消除或减少重复警报,降低误警率,发现高层攻击策略。最后给出了警报聚类关联实现算法,该算法通过警报数据相似度的计算来实现警报聚类。     

安全事件关联分析引擎的研究与设计

入侵检测系统是动态安全防御里的重要环节，现有的入侵检测系统（IDS）存在一个致命的缺陷：误报率高居不下，IDS无法展现事件之间的逻辑关系，结果用户很难了解事件背后隐藏的攻击策略或逻辑步骤。为了解决IDS存在的上述问题，在深入分析入侵技术的基础上提出了基于入侵序列的启发式关联方法，设计并实现了一个事件关联分析引擎，最后验证了有效性。     

基于本地决策的多域间合作入侵检测

在大规模多管理域网络环境中，IDS系统间合作检测更多地体现出分布式、本地化的特点。文中提出基于本地安全策略实现信息采集、交换、评估、过滤和关联分析的合作IDS模型，描述了合作IDS间共享信息可信度评估和不完整警报关联分析等方法，实现了大规模多管理域网络环境中合作IDS原型MDCI系统。该系统能够有效降低警报关联分析的误报率和漏报率，提高合作IDS系统的检测性能。     

入侵检测系统发展的研究综述

With the fast development of Internet,more and more computer security affairs appear. Researchers have developed many security mechanisms to improve computer security ,including intrusion detection (ID). This paper re-views the history of intrusion detection systems (IDS)and mainstream techniques used in IDS,showing that IDS couldimprove security only provided that it is devised based on the architecture of the target system. From this, we could see the trend of integration of host-oriented ,network-oriented and application-oriented IDSs.     

Hybrid multi-agent framework for detection of stealthy probes

Probing tools are widely used to discover system information. Once the information is known, attackers can launch computer attacks against the vulnerable services running on the system. Even though current computer systems are protected against known attacks by implementing a number of access restriction policies, protection against novel attacks still remains as an elusive goal for the researchers. Attackers defeat current protection and detection mechanisms by exploiting unknown weakness and bugs in system and application software. Stealthy and low profile probes that include only a few carefully crafted packets over an extended period of time are used to delude firewalls and intrusion detection systems (IDS).Building effective IDSs, unfortunately, has remained an elusive goal owing to the great technical challenges involved and applied AI techniques are increasingly being utilized in attempts to overcome the difficulties. This paper presents computational intelligent agents-based approach to detect computer probes at the originating host. We also investigate and compare the performance of different classifiers used for detecting probes, with respect to the data collected on a real network that includes a variety of simulated probe attacks and the normal activity.Through a variety of experiments and analysis, it is found that with appropriately chosen network features computer probes can be detected in real time or near real time at the originating host. Using the detection information, an effective response mechanism can be implemented at the boundary controllers.     

模糊神经网络在入侵检测中的应用

目前绝大多数误用检测系统均不能检测已知攻击的变种 ,对未知攻击的检测也十分有限 ,而基于用户行为的异常检测系统对攻击检测的误报率太高 ,且不能发现攻击者通过慢慢改变其行为躲过检测的欺骗行为 .将模糊神经网络应用于入侵检测领域 ,并采用基于进程行为的检测方法 ,能有效的解决上述问题 ,较好地改进入侵检测系统的性能 ,降低漏报误报率 .     

协同式入侵监视系统的体系结构设计

协同式入侵监视系统实现不同管理域网络之间告警信息共享、执行集中式告警相关性分析并提供入侵预警服务而提高各个网络的安全性.介绍了设计协同式入侵监视系统面临的系统结构问题,讨论了协同式入侵监视系统的基本组成,提出了实现可扩展的安全信息交换、告警相关性分析和提高系统自身安全性问题的方法.     

A research using hybrid RBF/Elman neural networks for intrusion detection system secure model

A hybrid RBF/Elman neural network model that can be employed for both anomaly detection and misuse detection is presented in this paper. The IDSs using the hybrid neural network can detect temporally dispersed and collaborative attacks effectively because of its memory of past events. The RBF network is employed as a real-time pattern classification and the Elman network is employed to restore the memory of past events. The IDSs using the hybrid neural network are evaluated against the intrusion detection evaluation data sponsored by U.S. Defense Advanced Research Projects Agency (DARPA). Experimental results are presented in ROC curves. Experiments show that the IDSs using this hybrid neural network improve the detection rate and decrease the false positive rate effectively.     

入侵检测系统中基于免疫的克隆选择算法

机体免疫系统的许多有益特性被应用予入侵检测系统，使之能够主动地防御各种各样的网络攻击。该文在分析了将人工免疫学应用到入侵检测的过程中所遇到诸多问题之后，提出了一个基于免疫的克隆选择算法。该算法采用一种新的基因型与表现型的表达方式，利用全新的匹配方法，引入反向选择算子，对入侵检测的人工免疫模型进行了有效改进。     

多源安全信息融合系统设计

利用报警融合和关联分析技术能很好地提高报警准确度。阐述了基于多源安全信息融合系统关键模块设计,以暴风蠕虫攻击检测例证了该系统的有效性,并指出需要进一步研究的问题。     

入侵检测技术的初步探究

入侵检测系统是现代网络安全的重要组成部分。入侵检测就是通过监视特定的计算机或网络,在检测可能的攻击,主要有两类入侵检测系统：基于主机的和基于网络的。前者监视整修网络或部分网段,后者监视特定的计算机。如将两类系统相结合,实时监控网络传输和系统事件,并对可疑的行为进行自动的安全响应,将最大程度地降低安全风险,保护网络的系统安全。     

A comparative evaluation of intrusion detection architectures for mobile ad hoc networks

Mobile Ad Hoc Networks (MANETs) are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems (IDSs) may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders, and then initiate the appropriate countermeasures. IDS for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing. This paper evaluates and compares the most prominent IDS architectures for MANETs. IDS architectures are defined as the operational structures of IDSs. For each IDS, the architecture and the related functionality are briefly presented and analyzed focusing on both the operational strengths and weaknesses. Moreover, methods/techniques that have been proposed to improve the performance and the provided security services of those are evaluated and their shortcomings or weaknesses are presented. A comparison of the studied IDS architectures is carried out using a set of critical evaluation metrics, which derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures. The evaluation metrics of IDSs are divided into two groups: the first one is related to performance and the second to security. Finally, based on the carried evaluation and comparison a set of design features and principles are presented, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs.     

入侵检测报警关联技术

报警关联技术分析不同安全产品产生的报警，从中识别出真正有意义的攻击警报，并减少大量的误报警，降低安全管理员的工作量。该文介绍了报警关联的基本模型和主要技术，分析了主要的关联方法，探讨了报警关联技术的发展方向。这些讨论对应用或发展报警关联技术都有参考价值。