Abstract
In a complex network with intrusion detectionIntrusion detection and logging, a huge number of alerts and logs are generated to report the status of the network, servers, systems, and applications running on this network. The administrator(s) are required to analyze these pieces of information to generate an overview about the network, hacking attempts and vulnerable points within the network. Unfortunately, with the enormous number of alerts and recorded events that grows as the network grows, this task is almost impossible without an analysis and reporting model. Alerts and events correlation is a process in which the alerts produced by one or more intrusion detectionIntrusion detection systems and events generated from different systems and security tools are analyzed and correlated to provide a more succinct and high-level view of occurring or attempted intrusions and attacks. While the existing correlation techniques improve the intrusion detectionIntrusion detection results and reduce the huge number of alerts in a summarized report, they still have some drawbacks. This article presents a modular framework for a Distributed Agent Correlation Model (DACM) for intrusion detectionIntrusion detection alerts and events in computer networks. The framework supports the integration of multiple correlation techniques. It introduces a multi-agent distributed model in a hierarchical organization; correlates alerts from the IDS with attack signatures from information security tools and either system or application log files as other sources of information. The agent model is inspired by bio-distribution of cooperating members of a society to achieve a common goal. Each local agent aggregates/correlates events from its source according to a specific pattern matching. Correlation between multiple sources of information and the integration of these correlation agents together forms a complete integrated correlation system and reduces both false negative and false positive alerts, enhancing intrusion detectionIntrusion detection accuracy and completeness. The model has been implemented and tested using a set of datasets. Agents proposed models and algorithms have been implemented, analyzed, and evaluated to measure detection and correlation rates and the reduction rateReduction rate of false positive and false negative alerts. The results showed that DACM enhances both the accuracy and completeness of intrusion detectionIntrusion detection by reducing both false positive and false negative alerts; it also enhances the early detection new threats.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Taha, A.E.: Intrusion detection correlation in computer network using multi-agent system. Ph.D. Thesis, University of Ain Shams, Cairo, Egypt, 2011
Tran, Q.A., Jiang, F., Ha, Q.M.: Evolving block-based neural network and field programmable gate arrays for host-based intrusion detection system. In: 2012 Fourth International Conference on Knowledge and Systems Engineering (KSE), IEEE, 2012
Elshoush, H.T., Osman, I.M.: An improved framework for intrusion alert correlation. Proceedings of the World Congress on Engineering, Vol I, pp. 1–6, 4–6 July. London, U.K (2012)
Tran, Q.A., Jiang, F., Hu, J.: A real-time netflow-based intrusion detection system with improved BBNN and high-frequency field programmable gate arrays. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2012
Spathoulas, Georgios, Katsikas, Sokratis: Methods for post-processing of alerts in intrusion detection: a survey. Int. J. Inf.Secur. Sci. 2(2), 64–80 (2013)
Jiang, F., Michael F., Hu, J.:A bio-inspired host-based multi-engine detection system with sequential pattern recognition. In: IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC), 2011
Shittu, R. et al.: Visual analytic agent-based framework for intrusion alert analysis. In: IEEE International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2012
Elshoush, H.T., Osman, I.M.: Intrusion alert correlation framework: an innovative approach. In: IAENG Transactions on Engineering Technologies, pp. 405–420. Springer, The Netherlands (2013).
Jiang, F., Ling, S.S.H., Agbinya, J.I.: A nature inspired anomaly detection system using multiple detection engines. In: IEEE 2011 6th International Conference on Broadband and Biomedical Communications (IB2Com), 2011
Bahaa-Eldin, A.M.: Time series analysis based models for network abnormal traffic detection. In: 2011 International Conference on Computer Engineering & Systems (ICCES), pp. 64–70, 29 Nov–1 Dec 2011. doi:10.1109/ICCES.2011.6141013
Tucker, C.J.: Performance Metrics for Network Intrusion Systems (2013)
Gabra, H.N., Bahaa-Eldin, A.M., Korashy H.:Classification of ids alerts with data mining techniques . In: 2012 International Conference on Internet Study (NETs2012), Bangkok, Thailand, 2012
Gabra, H.N., Bahaa-Eldin, A.M., Korashy HM.: Data mining based technique for IDS alerts classification. Int. J. Electron. Commer. Stud. 5(1), 1–6 (2014) (Academy of Taiwan Information Systems Research)
Porras, P., Fong, M., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the. International Symposium. The Recent Advances in Intrusion Detection, pp. 95–114. Zurich, Switzerland, Oct 2002
Long, W., Xin, Y., Yang, Y.: ‘Vulnerabilities analyzing model for alert correlation in distributed environment. In: 2009 IITA International Conference on Services Science, Management and Engineering, pp. 408–411. Nov 2009
Jiang,G., Member., Cybenko, G.: Temporal and spatial distributed event correlation for network security. In: Proceedings of the American Control Conference, 30 June–2 July 2004
Eid, M., Artail, H., Kayssi, A., Chehab, A.: A lightweight adaptive mobile agent-based intrusion detection system LAMAIDS. Int. J. Netw. Secur. 6(2), 145–157 (2008)
Dastjerdi, A.V., Bakar, K.A.: A novel hybrid mobile agent based distributed intrusion detection system. In: Proceedings of World Academy of Science, Engineering and Technology, vol. 35. ISSN 2070–3740, Nov 2008
Liu, J., Li, L.: A distributed intrusion detection system based on agents. In: 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application, pp. 553–557, Dec 2008
Crosbie, M., Spafford, G.: Active defense of computer system using autonomous agent. Technical report no 95–008, COAST group, computer science department, Purdue University, February, 1995
Balasubramaniyan, J.S., Spafford, E., Zamboniy, D.: An architecture for intrusion detection using autonomous agents. COAST technical report 98/05, COAST Laboratory, Purdue University, 11 June 1998
Ktata, F.B., El-Kadhi, N., Ghedira, K.: Distributed agent architecture for intrusion detection based on new metrics. In: Proceeding 2009 Third International Conference on Network and System, Security, pp. 321–327, Oct 2009
Mohamed, A.A., Basir, O.: Fusion based approach for distributed alarm correlation in computer networks. In: 2010 Second International Conference on Communication Software and Networks, pp. 318–324, Feb 2010
Mohamed, A.A., Basir, O.: An adaptive multi-agent approach for distributed alarm correlation and fault identification. In: Proceedings of the Ninth IASTED International Conference on Parallel and Distributed Computing and Networks, Feb 2010
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1, 146–69 (2004)
Valeur, F.: Real-time intrusion detection alert correlation, Ph.D. Thesis, University of California Santa Barbara, Santa Barbara, California, USA, (2006)
Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation Challenges and Solutions. Springer, New York (2005). ISBN: 0-387-23398-9
David W Chadwick, “Network Firewall Technologies”, Technical Report, IS Institute, University of Salford, Salford, M5 4WT, England.
Kak, A.: Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and Penetration Testing, Lecture Notes on Computer and Network Security, April 15, Purdue University (2014). https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture23.pdf
Veysset, F., Butti, L.: Honey pot technologies. First Conference, France Télécom R&D, June 2006
Wireshark, Network Protocol Analyzer. http://www.wireshark.org, June 2010
Taha, A.E., Ghaffar, I.A., Bahaa-Eldin, A.M., Mahdi, H.M.K.: Agent based correlation model for intrusion detection alerts. In: Proceeding of IEEE International Conference on Intelligence and Security Informatics (ISI 2010), pp. 89–94. Vancouver, Canada May 2010
Ghaffar, I.A.,Taha, A.E., Bahaa-Eldin, A.M., Mahdi, H.M.K.: Towards implementing agent based correlation model for real-time intrusion detection alerts. In: Proceeding of 7th International Conference on Electrical Engineering, ICEENG 2010, MTC, Cairo, Egypt, May 2010
Bahaa-Eldin, A.M., Mahdi, H.M.K., Taha, A.E., Ghaffar, I.A.: Dynamic Parallel correlation Model for intrusion detection alerts, posterIn. In: Annual Information Security Symposium of Center of Education and Research of Information Assurance and Security (CERIAS), Purdue University, West Lafayette. Indiana, USA, March 2010
Center of Education and Research for Information Assurance and Security (CERIAS). http://www.cerias.purdue.edu, June 2011
Snort—the open source network intrusion prevention and detection system. http://www.snort.org (2010)
Basic Analysis and Security Engine (BASE). http://base.securei-deas.net/about.php. June 2010
Nessus Vulnerabilty Scanner. http://www.nessus.org. June 2010
Nmap- Network Mapper, Security Scanner For Network Exploration & Hacking. http://nmap.org June, 2010
Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, pp. 31–38. ACM Press, Sept 2000
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. Washington, D.C., Nov 2002
Acknowledgments
I would like to thank the Center for Education and Research of Information Assurance and Security (CERIAS), Purdue University, USA. I appreciate the valuable support of the CERIAS executive director Prof Eugene Spafford, the generous effort of his staff especiallyInformation Assurance Research Engineer Keith Watson, for their cooperation during the scholar visit to the Center. They provided great resources to capture and collect the data needed for this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Bahaa-Eldin, A. (2014). A Bio-inspired Comprehensive Distributed Correlation Approach for Intrusion Detection Alerts and Events. In: Hassanien, A., Kim, TH., Kacprzyk, J., Awad, A. (eds) Bio-inspiring Cyber Security and Cloud Services: Trends and Innovations. Intelligent Systems Reference Library, vol 70. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43616-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-662-43616-5_1
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43615-8
Online ISBN: 978-3-662-43616-5
eBook Packages: EngineeringEngineering (R0)