Aggregation and Correlation of Intrusion Detection Alerts

Abstract

The art of securing and averting the network from unauthorized access is commonly known as network security. With the growth of internet technologies, network traffic needs to be made more protected. Modern technologies attach people and things to the internet all over the world. Mutually the software and hardware technologies are included in network security. To attain the security of a network there is a variety of procedures and categories of network security such as access control, firewalls, intrusion detection, and prevention system. With the rapid rise of network malicious attacks, traditional tools such as antiviruses and firewalls are not sufficient for protecting the network. Firewalls have been used for a long duration for protecting the networks, but unfortunately, firewalls are not capable to monitor the departing traffic of the network. Firewalls are only capable to block the incoming traffic of the network and thus they cannot detect any kind of intrusion. So, to control and monitor the security of a network an IDS/IPS is a modern and much suitable tool as compared to antiviruses and firewalls at network level. IDS/IPS are divided into two categories:(1) Anomaly-based and (2) Misuse-based IDS. Misuse-based IDS are also known as signature-based IDS. Abnormal behaviors are detected in anomaly-based IDS by examining statistical information about system execution and maintains normal behavioral patterns. Intrusion systems that catch the interruption by analyzing and matching the footprint against an intrusion are known as Signature-based. If the footprint gets matched, then the intrusion system produces an alarm against this intrusion. The produced alert is then sent to the security administrator or user for further action. As the alerts produced by IDS are huge in numbers, analyzing and identifying the true alerts manually is certainly a time-consuming process. Though several measures are taken to reduce redundant alerts, duplicate alerts, and prioritizing them, the most efficient way to remove duplication in alerts is achieved only through aggregation techniques and alert correlation techniques. Correlation techniques analyze the dozens of alerts and provide an overview by merging alerts that are related to each other. In this work a new alert aggregation and correlation model based on similarity-based correlation. Anomaly based intrusion detection system triggers more alert as compared to signature-based intrusion system because of their ability to use heuristics for detecting novel attacks. This work is aimed at reducing anomaly-based alerts using a Security Event Correlator (SEC). In the first stage, an IDS known as an Anomaly detection system (ADS) is used. Then the alerts generated by ADS are used as an input in a proposed Security event Correlator (SEC).SEC preprocess the alerts in which all the major features of alerts are extracted and then after this, alert scrubbing is done in which all the redundant alerts are removed. Aggregation is performed, and all alerts are grouped based on extracted features and then duplicated alerts are removed. After this Correlation is performed and all the remaining alerts are prioritized based on their frequency and some extracted features. The Model proposed in this work has successfully achieved the 99.5% accuracy rate of removal of redundant and duplicated alerts