Abstract
With the increase in the variety of devices connected to the Internet, each with their own vulnerabilities, we are currently observing an explosion of cyber attacks patterns. Furthermore, the overwhelming number of alerts from security sensors, such as intrusion detection systems (IDSs), makes it impossible to take appropriate countermeasures against attacks. A method to prioritize IDS alerts is therefore required for the next generation of security operation centers (SOCs). To this end, we have developed an IDS alert priority determination method that combines IDS alert information with traffic behavior and uses the difference in the distribution of traffic behavior to determine the priority of the alerts. We performed experiments with 2 million IDS alerts and 20 billion traffic flows in a real large-scale environment over two months and found that our method could identify 553 IDS alerts out of 2 million as high priority, which is a small enough number for SOC analysts to investigate them in detail.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
SQLMAP: http://sqlmap.org.
- 2.
Shodan: https://www.shodan.io
Rapid7: https://www.rapid7.com
Shadowserver: https://shadowserver.org/wiki.
- 3.
Signature name provided by Palo Alto Networks.
References
Denning, D.E.: An intrusion-detection model. J. IEEE Trans. Softw. Eng. 13, 222–232 (1987)
Lunt, T.F., Jagannathan, R., Lee, R., Whitehurst, A., Listgarten, S.: Knowledge-based intrusion detection. In: AI Systems in Government Conference, Washington, USA, pp. 102–107 (1989)
Garcia-Teodoro, P., Diaz-Verdejp, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. J. Comput. Secur. 28, 18–28 (2009)
Lv, Y., Xiang, S., Geng, J., Li, Y., Xia, C.: An alert correlation algorithm based on the sequence pattern mining. In: 2015 IEEE Advanced Technology, Electronic and Automation Control Conference, Chongqing, China, pp. 1146–1151 (2015)
Pei, J., Han, J., Mortazavi-Asl, B., Chen, Q., Dayal, U., Hsu, M.-C.: PrefixSpan: mining sequential patterns efficiently by prefix-projected pattern growth. In: 17th International Conference on Data Engineering, Heidelberg, Germany, pp. 215–224 (2001)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. J. Comput. Commun. 29, 2917–2933 (2006)
Yemini, S.A., Kliger, S., Mozes, E., Yemini, Y., Ohsie, D.: High speed and robust event correlation. J. IEEE Commun. Mag. 34, 82–90 (1996)
Zan, X., Gao, F., Han, J., Sun, Y.: A hidden Markov model based framework for tracking and predicting of attack intention. In: 2009 International Conference on Multimedia Information Networking and Security, Hubei, China, pp. 498–501 (2009)
Zhicai, S., Yongxiang, X.: A novel hidden Markov model for detecting complicate network attacks. In: 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, Beijing, China, pp. 312–315 (2010)
Steinder, M., Sethi, A.S.: Probabilistic fault localization in communication systems using belief networks. J. IEEE/ACM Trans. Netw. 12, 809–822 (2004)
Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Muttukrishnan, R.: OutMet: a new metric for prioritising intrusion alerts using correlation and outlier analysis. In: 39th Annual IEEE Conference on Local Computer Networks, Edmonton, Canada, pp. 322–330 (2014)
Njogu, H.W., Jiawei, L.: Using alert cluster to reduce IDS alerts. In: 2010 3rd International Conference on Computer Science and Information Technology, Chengdu, China, pp. 467–471 (2010)
Vaarandi, R., Podins, K.: Network IDS alert classification with frequent itemset mining and data clustering. In: 2010 International Conference on Network and Service Management, Niagara Falls, Canada, pp. 451–456 (2010)
GhasemiGol, M., Ghaemi-Bafghi, A.: A new alert correlation framework based on entropy. In: 3rd International eConference on Computer and Knowledge Engineering, Mashhad, Iran, pp. 184–189 (2013)
Gupta, D., Joshi, P.S., Bhattacharjee, A.K., Mundada, R.S.: IDS alerts classification using knowledge-based evaluation. In: 2012 Fourth International Conference on Communication Systems and Networks, Bangalore, India, pp. 1–8 (2012)
Mell, P., Scarfone, K., Romansky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0, National Infrastracture Advisory Council. https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51198. Accessed 15 Feb 2019
The Global Internet Phenomena Report. https://www.sandvine.com/hubfs/downloads/phenomena/2018-phenomena-report.pdf. Accessed 15 Feb 2019
Uncovering Hidden Threats within Encrypted Traffic. https://www.a10networks.com/sites/default/files/A10-EB-14106-EN.pdf. Accessed 15 Feb 2019
Evangelos, S., Jiawei, H., Usama, M.F.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: The Second International Conference on Knowledge Discovery and Data Mining, Oregon, USA, pp. 226–231 (1996)
How many Alerts is Too Many to Handle?. https://www2.fireeye.com/StopTheNoise-IDC-Numbers-Game-Special-Report.html. Accessed 5 Jun 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hiruta, S., Ikeda, S., Shima, S., Takakura, H. (2019). IDS Alert Priority Determination Based on Traffic Behavior. In: Attrapadung, N., Yagi, T. (eds) Advances in Information and Computer Security. IWSEC 2019. Lecture Notes in Computer Science(), vol 11689. Springer, Cham. https://doi.org/10.1007/978-3-030-26834-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-26834-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26833-6
Online ISBN: 978-3-030-26834-3
eBook Packages: Computer ScienceComputer Science (R0)