Abstract
This is the era of digitization. Almost every service is online these days. As per an estimate till 2020, there will be 730 million internet users, 175 million online shoppers, 70% E-commerce transaction will be via mobile, and 50% travel transactions will be online in India [1]. Along with the growth of online services, the percentage of online crime is also increasing. Online services utilize internet protocols for functioning. TCP is the most commonly used transport layer protocol over the web. Many attackers utilize anomalous TCP flags to scan a system. Therefore it is crucial to research and adopt ways to detect and prevent the TCP packets which contains anomalous TCP flags. Intrusion Detection System is a hardware/software system which is used to detect and prevent attacks. However, it may generate many/false alerts. It is a time-consuming process to manually examine these huge numbers of alerts. Hence, it would be beneficial to generate meta-alerts for similar alerts. In this research work, an approach has been proposed to detect, log and generate meta-alerts for the packets, which contain anomalous TCP flags. To analyze the performance and usefulness of the proposed method an experiment has been carried out using real network traffic, and four well-known datasets i.e. MIT/LL 1998, MIT/LL 1999, Honeynet, and MACCDC dataset. It is observed that overall 99.96% alerts have been reduced. A comparative analysis has been carried out between the proposed work and existing work and it is observed that the proposed method gives better result.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Saraswat, V.K.: Cyber Security Presentation [PowerPoint slides] (2018). Accessed http://www.niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf
Forouzan, B.A.: TCP/IP Protocol Suite, 4th edn. McGraw Hill Education, Delhi (2010)
Jacobson, V., Leres, C., McCanne, S.: LIBPCAP. Lawrence Berkeley Laboratory, Berkeley, CA (1994). Initial public release June
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Lisa, vol. 99, no. 1, pp. 229–238, November 1999
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45474-8_6
Siraj, A., Vaughn, R.B.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., et al. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005). https://doi.org/10.1007/11427995_18
Siraj, A., Vaughn, R.B.: Alert correlation with abstract incident modeling in a multi-sensor environment. IJCSNS Int. J. Comput. Sci. Netw. Secur. 7(8), 8–19 (2007)
Tedesco, G., Aickelin, U.: Data reduction in intrusion alert correlation. arXiv preprint arXiv:0804.1281 (2008)
Harang, R., Guarino, P.: Clustering of Snort alerts to identify patterns and reduce analyst workload. In: Military Communications Conference, MILCOM 2012, pp. 1–6. IEEE, October 2012
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: ACSAC, p. 0022. IEEE, December 2001
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, p. 202. IEEE, May 2002
Farhadi, H., AmirHaeri, M., Khansari, M.: Alert correlation and prediction using data mining and HMM. ISC Int. J. Inf. Secur. 3(2), 77–101 (2011)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 366–375. ACM, July 2002
Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_1
Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm reduction and correlation in intrusion detection systems. In: Detection of Intrusion and Malware & Vulnerability Assessment, DIMVA, pp. 9–24, June 2004
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)
Hofmann, A., Sick, B.: Online intrusion alert aggregation with generative data stream modeling. IEEE Trans. Dependable Secure Comput. 8(2), 282–294 (2011)
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_7
Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_5
Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 274–318 (2004)
Siraj, A., Bridges, S.M., Vaughn, R.B.: Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. In: 2001 Joint 9th IFSA World Congress and 20th NAFIPS International Conference, vol. 4, pp. 2165–2170. IEEE, July 2001
M.I.T. Lincoln Laboratory: 1998 DARPA Intrusion Detection Evaluation Dataset. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-data-set. Accessed 05 May 2018
M.I.T. Lincoln Laboratory: 1999 DARPA Intrusion Detection Evaluation Dataset. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-data-set. Accessed 05 May 2018
The Honeynet Project. http://www.honeynet.org/. Accessed 05 May 2018
Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC). http://www.netresec.com/?page=MACCDC. Accessed 05 May 2018
Lyon, G.: Nmap–free security scanner for network exploration & security audits (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kushwah, D., Singh, R.R., Tomar, D.S. (2019). An Approach to Meta-Alert Generation for Anomalous TCP Traffic. In: Nandi, S., Jinwala, D., Singh, V., Laxmi, V., Gaur, M., Faruki, P. (eds) Security and Privacy. ISEA-ISAP 2019. Communications in Computer and Information Science, vol 939. Springer, Singapore. https://doi.org/10.1007/978-981-13-7561-3_15
Download citation
DOI: https://doi.org/10.1007/978-981-13-7561-3_15
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-7560-6
Online ISBN: 978-981-13-7561-3
eBook Packages: Computer ScienceComputer Science (R0)