Skip to main content
SpringerLink
Log in

An Approach to Meta-Alert Generation for Anomalous TCP Traffic

  • Conference paper
  • First Online:
Security and Privacy (ISEA-ISAP 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 939))

Included in the following conference series:

Abstract

This is the era of digitization. Almost every service is online these days. As per an estimate till 2020, there will be 730 million internet users, 175 million online shoppers, 70% E-commerce transaction will be via mobile, and 50% travel transactions will be online in India [1]. Along with the growth of online services, the percentage of online crime is also increasing. Online services utilize internet protocols for functioning. TCP is the most commonly used transport layer protocol over the web. Many attackers utilize anomalous TCP flags to scan a system. Therefore it is crucial to research and adopt ways to detect and prevent the TCP packets which contains anomalous TCP flags. Intrusion Detection System is a hardware/software system which is used to detect and prevent attacks. However, it may generate many/false alerts. It is a time-consuming process to manually examine these huge numbers of alerts. Hence, it would be beneficial to generate meta-alerts for similar alerts. In this research work, an approach has been proposed to detect, log and generate meta-alerts for the packets, which contain anomalous TCP flags. To analyze the performance and usefulness of the proposed method an experiment has been carried out using real network traffic, and four well-known datasets i.e. MIT/LL 1998, MIT/LL 1999, Honeynet, and MACCDC dataset. It is observed that overall 99.96% alerts have been reduced. A comparative analysis has been carried out between the proposed work and existing work and it is observed that the proposed method gives better result.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Saraswat, V.K.: Cyber Security Presentation [PowerPoint slides] (2018). Accessed http://www.niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf

  2. Forouzan, B.A.: TCP/IP Protocol Suite, 4th edn. McGraw Hill Education, Delhi (2010)

    Google Scholar 

  3. Jacobson, V., Leres, C., McCanne, S.: LIBPCAP. Lawrence Berkeley Laboratory, Berkeley, CA (1994). Initial public release June

    Google Scholar 

  4. Roesch, M.: Snort: lightweight intrusion detection for networks. In: Lisa, vol. 99, no. 1, pp. 229–238, November 1999

    Google Scholar 

  5. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45474-8_6

    Chapter  MATH  Google Scholar 

  6. Siraj, A., Vaughn, R.B.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., et al. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005). https://doi.org/10.1007/11427995_18

    Chapter  Google Scholar 

  7. Siraj, A., Vaughn, R.B.: Alert correlation with abstract incident modeling in a multi-sensor environment. IJCSNS Int. J. Comput. Sci. Netw. Secur. 7(8), 8–19 (2007)

    Google Scholar 

  8. Tedesco, G., Aickelin, U.: Data reduction in intrusion alert correlation. arXiv preprint arXiv:0804.1281 (2008)

  9. Harang, R., Guarino, P.: Clustering of Snort alerts to identify patterns and reduce analyst workload. In: Military Communications Conference, MILCOM 2012, pp. 1–6. IEEE, October 2012

    Google Scholar 

  10. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: ACSAC, p. 0022. IEEE, December 2001

    Google Scholar 

  11. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, p. 202. IEEE, May 2002

    Google Scholar 

  12. Farhadi, H., AmirHaeri, M., Khansari, M.: Alert correlation and prediction using data mining and HMM. ISC Int. J. Inf. Secur. 3(2), 77–101 (2011)

    Google Scholar 

  13. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 366–375. ACM, July 2002

    Google Scholar 

  14. Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_1

    Chapter  Google Scholar 

  15. Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm reduction and correlation in intrusion detection systems. In: Detection of Intrusion and Malware & Vulnerability Assessment, DIMVA, pp. 9–24, June 2004

    Google Scholar 

  16. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)

    Article  Google Scholar 

  17. Hofmann, A., Sick, B.: Online intrusion alert aggregation with generative data stream modeling. IEEE Trans. Dependable Secure Comput. 8(2), 282–294 (2011)

    Article  Google Scholar 

  18. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_7

    Chapter  Google Scholar 

  19. Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_5

    Chapter  MATH  Google Scholar 

  20. Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 274–318 (2004)

    Article  Google Scholar 

  21. Siraj, A., Bridges, S.M., Vaughn, R.B.: Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. In: 2001 Joint 9th IFSA World Congress and 20th NAFIPS International Conference, vol. 4, pp. 2165–2170. IEEE, July 2001

    Google Scholar 

  22. M.I.T. Lincoln Laboratory: 1998 DARPA Intrusion Detection Evaluation Dataset. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-data-set. Accessed 05 May 2018

  23. M.I.T. Lincoln Laboratory: 1999 DARPA Intrusion Detection Evaluation Dataset. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-data-set. Accessed 05 May 2018

  24. The Honeynet Project. http://www.honeynet.org/. Accessed 05 May 2018

  25. Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC). http://www.netresec.com/?page=MACCDC. Accessed 05 May 2018

  26. Lyon, G.: Nmap–free security scanner for network exploration & security audits (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of CSE and IT, Madhav Institute of Technology and Science, Gwalior, India

    Deeksha Kushwah & Rajni Ranjan Singh

  2. Department of CSE, Maulana Azad National Institute of Technology, Bhopal, India

    Deepak Singh Tomar

Authors
  1. Deeksha Kushwah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rajni Ranjan Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Deepak Singh Tomar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Deeksha Kushwah .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Guwahati, Guwahati, India

    Sukumar Nandi

  2. Indian Institute of Technology Jammu, Jammu, India

    Devesh Jinwala

  3. Indian Institute of Technology Bombay, Mumbai, India

    Virendra Singh

  4. Malaviya National Institute of Technology, Jaipur, India

    Vijay Laxmi

  5. Indian Institute of Technology Jammu, Jammu, Jammu and Kashmir, India

    Manoj Singh Gaur

  6. Department of Technical Education, Government of Gujarat, Rajkot, India

    Parvez Faruki

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kushwah, D., Singh, R.R., Tomar, D.S. (2019). An Approach to Meta-Alert Generation for Anomalous TCP Traffic. In: Nandi, S., Jinwala, D., Singh, V., Laxmi, V., Gaur, M., Faruki, P. (eds) Security and Privacy. ISEA-ISAP 2019. Communications in Computer and Information Science, vol 939. Springer, Singapore. https://doi.org/10.1007/978-981-13-7561-3_15

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-7561-3_15

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-7560-6

  • Online ISBN: 978-981-13-7561-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation