Skip to main content
SpringerLink
Log in

Risk Assessment and Alert Prioritization for Intrusion Detection Systems

  • Conference paper
  • First Online:
Ubiquitous Networking (UNet 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10542))

Included in the following conference series:

  • 1547 Accesses

Abstract

The main objective of an Intrusion Detection System is to analyze system and network activity to detect unauthorized entry and/or malicious activity. IDSs protect a system or network from attack, misuse and compromise. They can also monitor network activity, analyze system and network configurations against vulnerability and more. Having detected abnormal activities, IDSs trigger alerts to report them, these alerts are presented to the security analyst. In practice, IDSs generate a large number of alerts per day, especially false alerts (i.e., false positives). This makes it very difficult for the analyst to correctly identify alerts related to attack. In this paper, we review the existing approaches for Intrusion Risk Assessment and Alert Prioritization and we propose a new model, the objective is to determine the criticality of certain events on the security status of a network. Most existing approaches are limited to manual Risk Assessment, that are not suitable for Real-time use. In this approach, we evaluate the risk of an alert as a composition of certain parameters of each alert, also in this work we evaluate the Risk of Cluster of Alerts (i.e., Meta-Alerts), then we integrate the Risk Assessment model with our last work, thus, we apply the results to prioritize alerts produced by the IDS and generate alarms if Risk is high.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29(1), 124–140 (2010)

    Article  Google Scholar 

  2. Jahnke, M., Thul, C., Martini, P.: Graph-based metrics for intrusion response measures in computer networks. In: Proceedings of the 3rd LCN Workshop on Network Security. Held in conjunction with the 32nd IEEE Conference on Local Computer Networks (LCN), Dublin, Ireland, pp. 1035–1042 (2007)

    Google Scholar 

  3. Kanoun, W., Cuppens-Boulahia, N., Cuppens, F., Araujo, J.: Automated reaction based on risk analysis and attacker’s skills in intrusion detection systems. In: Third International Conference on Risks and Security of Internet and Systems, pp. 117–124 (2008)

    Google Scholar 

  4. Mu, C.P., Li, X.J., Huang, H.K., Tian, S.F.: Online risk assessment of intrusion scenarios using D-S evidence theory. In: Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain, pp. 35–48 (2008)

    Google Scholar 

  5. Gehani, A., Kedem, G.: Rheostat: real-time risk management. In: 7th International Symposium on Recent Advances in Intrusion Detection, (RAID 2004), France, pp. 296–314 (2004)

    Google Scholar 

  6. Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems. Technical report, NIST: National Institute of Standards and Technology, U.S. Department of Commerce (2007)

    Google Scholar 

  7. Lee, S., Chung, B., Kim, H., Lee, Y., Park, C., Yoon, H.: Real-time analysis of intrusion detection alerts via correlation. Comput. Secur. 25(3), 169–183 (2006)

    Article  Google Scholar 

  8. Anuar, N.B., Sallehudin, H., Gani, A., Zakaria, O.: Identifying false alarm for network intrusion detection system using hybrid data mining and decision tree. Malays. J. Comput. Sci., 110–115 (2008). ISSN 0127-9084

    Google Scholar 

  9. Lazarevic, A., Ertz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the Third SIAM International Conference on Data Mining (2003)

    Google Scholar 

  10. Xiao, F., Jin, S., Li, X.: A novel data mining-based method for alert reduction and analysis. J. Netw. 5(1), 88–97 (2010)

    Google Scholar 

  11. Adetunmbi, A.O., Falaki, S.O., Adewale, O.S., Alese, B.K.: Network intrusion detection based on rough set and k-nearest neighbour. Int. J. Comput. ICT Res. 2(1), 60–66 (2008)

    Google Scholar 

  12. Han, J., Kamber, M.: Data Mining: Concepts and Techniques, 2nd edn. Elsevier, San Francisco (2006)

    MATH  Google Scholar 

  13. Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: Proceedings of the 21st International Conference on Advanced Networking and Applications, pp. 428–435. IEEE Computer Society, Washington, DC (2007)

    Google Scholar 

  14. Foo, B., Wu, Y.S., Mao, Y.C., Bagchi, S., Spafford, E.: ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment. In: International Conference on Dependable Systems and Networks, pp. 508–517 (2005)

    Google Scholar 

  15. Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSEC08) (2008)

    Google Scholar 

  16. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings of the 21st Annual Computer Security Conference (ACSAC), pp. 160–169 (2005)

    Google Scholar 

  17. Wang, L., Liu, A., Jajodia, S.: Using attack graph for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)

    Article  Google Scholar 

  18. Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A service dependency model for cost sensitive intrusion response. In: Proceedings of the 15th European Conference on Research in Computer Security, pp. 626–642 (2010)

    Google Scholar 

  19. Cuppens, F., Ortalo, R.: Lambda: a language to model a database for detection of attacks. In: Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection (RAID 2000), pp. 197–216, Toulouse, France (2000)

    Google Scholar 

  20. Wang, S., Zhang, Z., Kadobayashi, Y.: Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Comput. Secur. 32, 158–169 (2013)

    Article  Google Scholar 

  21. Toth,T., Kregel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proceedings of the 18th Annual Computer Security Applications Conference, Los Alamitos, USA (2002)

    Google Scholar 

  22. Årnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-time risk assessment with network sensors and intrusion detection systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 388–397. Springer, Heidelberg (2005). doi:10.1007/11596981_57

    Chapter  Google Scholar 

  23. Haslum, K., Abraham, A., Knapskog, S.: Fuzzy online risk assessment for distributed intrusion prediction and prevention systems. In: Tenth International Conference on Computer Modeling and Simulation, pp. 216–223. IEEE Computer Society Press, Cambridge (2008)

    Google Scholar 

  24. Chakir, E., Youness, I.K., Moughit, M.: False positives reduction in intrusion detection systems using alert correlation and datamining techniques. In: IJARCSSE, vol. 5, Issue 4 (2015). ISSN 2277 128X

    Google Scholar 

  25. Lo, C.C., Chen, W.J.: A hybrid information security risk assessment procedure considering interdependences between controls. Expert Syst. Appl. 29(1), 247–257 (2012)

    Article  Google Scholar 

  26. Clifton, C., Gengo, G.: Developing custom intrusion detection filters using data mining. In: 21st Century Military Communications Conference Proceedings, MILCOM 2000 (2000)

    Google Scholar 

  27. Engen, V., Vincent, J., Phalp, K.: Exploring discrepancies in findings obtained with the KDD Cup 99 data set. Intell. Data Anal. 15, 251–276 (2011)

    Google Scholar 

  28. The Snort Project, Snort user’s manual 3 (2016)

    Google Scholar 

  29. Chakir, E., Khamlichi, Y.I., Moughit, M.: Handling alert for intrusion detection system using stateful pattern matching. In: Proceedings of the 4th IEEE International Colloquium on Information Science and Technology (CiSt 2016), pp. 139–144 (2016)

    Google Scholar 

  30. Shameli-Sendi, A., et al.: Taxonomy of Intrusion Risk Assessment and Response System, vol. 45, pp. 1–16. Elsevier, September 2014

    Google Scholar 

  31. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). http://www.ietf.org/rfc/rfc4765.txt

  32. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pp. 95–114 (2002)

    Google Scholar 

  33. Yu, J., et al.: TRINETR: an intrusion detection alert management system. In: WETICE 2004 (Washington, DC, USA) (2004)

    Google Scholar 

  34. Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: RAID, pp. 73–93 (2003)

    Google Scholar 

  35. Alsubhi, K., et al.: Alert prioritization in Intrusion detection systems. In: IEEE Xplore Conference: Network Operations and Management Symposium (2008)

    Google Scholar 

  36. Anuar, N.B., Furnell, S., Papadaki, M., Clarke, N.: A risk index model for security incident prioritization. In: Originally published in the Proceedings of the 9th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia, 5th–7th December 2011

    Google Scholar 

  37. Dondo, M.G.: A vulnerability prioritization system using a fuzzy risk analysis approach. In: Proceedings of the 23rd International Information Security Conference, Milano, Italy, pp. 525–539 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IR2M Laboratory, FST, University Hassan 1, Settat, Morocco

    El Mostapha Chakir, Mohamed Moughit & Youness Idrissi Khamlichi

  2. IR2M Laboratory, ENSA, University Hassan 1, Khouribga, Morocco

    Mohamed Moughit

  3. EEA&TI Laboratory, FST, University Hassan 2, Mohammedia, Morocco

    Mohamed Moughit

  4. LERS Laboratory, ENSA, University Sidi Mohamed Ben Abdellah, Fes, Morocco

    Youness Idrissi Khamlichi

Authors
  1. El Mostapha Chakir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohamed Moughit
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Youness Idrissi Khamlichi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to El Mostapha Chakir .

Editor information

Editors and Affiliations

  1. ENSEM, Hassan II University of Casablanca, Casablanca, Morocco

    Essaid Sabir

  2. Universidad Carlos III de Madrid, Madrid, Spain

    Ana García Armada

  3. International University of Rabat, Morocco, and University of Leeds, UK, Leeds, United Kingdom

    Mounir Ghogho

  4. CentraleSupélec LANEAS, Gif-sur-Yvette, France

    Mérouane Debbah

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chakir, E.M., Moughit, M., Khamlichi, Y.I. (2017). Risk Assessment and Alert Prioritization for Intrusion Detection Systems. In: Sabir, E., García Armada, A., Ghogho, M., Debbah, M. (eds) Ubiquitous Networking. UNet 2017. Lecture Notes in Computer Science(), vol 10542. Springer, Cham. https://doi.org/10.1007/978-3-319-68179-5_56

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68179-5_56

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68178-8

  • Online ISBN: 978-3-319-68179-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation