Intrusion Detection Alert Correlation Research Papers (original) (raw)

Intrusion Detection System (IDS) is meant to be a software application which monitors the network or system activities and finds if any malicious operations occur. Tremendous growth and usage of internet raises concerns about how to protect and communicate the digital information in a safe manner. Nowadays, hackers use different types of attacks for getting the valuable information. Many intrusion detection techniques, methods and algorithms help to detect these attacks. This main objective of this paper is to provide a complete study about the definition of intrusion detection, history, life cycle, types of intrusion detection methods, types of attacks, different tools and techniques, research needs, challenges and applications.

- by
- •
- Engineering, Information Security, Life Cycle Assessment, Optimization techniques

Honeynets originated as a security tool designed to be tracked, attacked and compromised by hypothetical intruders. They consist of network environments and sets of applications, and after being installed and configured with all of these components, the Honeynet is ready to be attacked with the purpose of maintaining a controlled environment for the study of the events that occurred. Through the analysis of these events, it is possible to understand the objectives, tactics and interests that the attackers have for the proposed environment. This paper describes the state of the art of Honeynets, referring to architectures, Honeynet types, tools used in Honeynets, Honeynet models and applications in the real world that are focused on capturing information.

Most of the network habitats retain on facing an ever increasing number of security threats. In early times, firewalls are used as a security examines point in the network environment. Recently the use of Intrusion Detection System (IDS) has greatly increased due to its more constructive and robust working than firewall. An IDS refers to the process of constantly observing the incoming and outgoing traffic of a network in order to diagnose suspicious behavior. In real scenario most of the environments are dynamic in nature, which leads to the problem of concept drift, is perturbed with learning from data whose statistical attribute change over time. Concept drift is impenetrable if the dataset is class-imbalanced. In this review paper, study of IDS along with different approaches of incremental learning is carried out. From this study, by applying voting rule to incremental learning a new approach is proposed. Further, the comparison between existing Fuzzy rule method and proposed approach is done.

- by Danny Velasco
- •
- Computer Science, Distributed Computing, Network Security, Computer Software

A growing trend in the cybersecurity landscape is represented by multistep attacks that involve multiple correlated intrusion activities to reach the intended target. The duty of reconstructing complete attack scenarios is left to system administrators because current Network Intrusion Detection Systems (NIDS) are still oriented to generate alerts related to single attacks, with no or minimal correlation. We propose a novel approach for the automatic analysis of multiple security alerts generated by state-of-the-art signature-based NIDS. Our proposal is able to group security alerts that are likely to belong to the same attack scenario, and to identify correlations and causal relationships among them. This goal is achieved by combining alert classification through Self Organizing Maps and unsupervised clustering algorithms. The efficacy of the proposal is demonstrated through a prototype tested against network traffic traces containing multistep attacks.

Over the past decade, the digitization of services transformed the healthcare sector leading to a sharp rise in cybersecurity threats. Poor cybersecurity in the healthcare sector, coupled with high value of patient records attracted the attention of hackers. Sophisticated advanced persistent threats and malware have significantly contributed to increasing risks to the health sector. Many recent attacks are attributed to the spread of malicious software, e.g., ransomware or bot malware. Machines infected with bot malware can be used as tools for remote attack or even cryptomining. This paper presents a novel approach, called BotDet, for botnet Command and Control (C&C) traffic detection to defend against malware attacks in critical ultrastructure systems. There are two stages in the development of the proposed system: 1) we have developed four detection modules to detect different possible techniques used in botnet C&C communications and 2) we have designed a correlation framework to reduce the rate of false alarms raised by individual detection modules. Evaluation results show that BotDet balances the true positive rate and the false positive rate with 82.3% and 13.6%, respectively. Furthermore, it proves BotDet capability of real time detection. INDEX TERMS Critical infrastructure security, healthcare cyber attacks, malware, botnet, command and control server, intrusion detection system, alert correlation.

- by Sardar Jaf
- •
- Intrusion Detection Systems, Malware Analysis, Botnet attacks, Malware

This paper presents a method for constructing intrusion detection systems based on efficient fuzzy rule-based classifiers. The design process of a fuzzy rule-based classifier from a given input-output data set can be presented as a feature selection and parameter optimization problem. For parameter optimization of fuzzy classifiers, the differential evolution is used, while the binary harmonic search algorithm is used for selection of relevant features. The performance of the designed classifiers is evaluated using the KDD Cup 1999 intrusion detection dataset. The optimal classifier is selected based on the Akaike information criterion. The optimal intrusion detection system has a 1.21% type I error and a 0.39% type II error. A comparative study with other methods was accomplished. The results obtained showed the adequacy of the proposed method.

Attacks to information systems are becoming more sophisticated and traditional algorithms supporting Network Intrusion Detection Systems may be ineffective or cause too many false alarms. This paper describes a new algorithm for the correlation of alerts generated by Network Intrusion Detection Systems. It is specifically oriented to face multistep attacks where multiple intrusion activities belonging to the same attack scenario are performed within a small time window. This algorithm takes as its input the security alerts generated by a NIDS and, through a pseudo-bayesian alert correlation, is able to identify those that are likely to belong to the same multistep attack scenario. The proposed approach is completely unsupervised and applicable to security alerts generated by any kind of NIDS.