Skip to main content
SpringerLink
Log in

ISM-AC: an immune security model based on alert correlation and software-defined networking

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Anomaly-based detection techniques have a high number of false positives, which degrades the detection performance. To address this issue, we propose a distributed intrusion detection system, named ISM-AC, based on anomaly detection using artificial immune system and attack graph correlation. To analyze network traffic, we use negative selection, clonal selection, and immune network algorithms to implement an agent-based detection system. ISM-AC leverages the programmability of software-defined networking to reduce the false positive rate. Our findings show that ISM-AC achieves better detection performance for denial of service, user to root, remote to local, and probe attack classes. Alert correlation plays a key role in this achievement.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. This paper is an extended version of our previous work [41] (a short 6-pages paper). In [41], we propose the initial model of the system and a preliminary evaluation for DoS attacks. In this paper, we introduce the complete architecture of ISM-AC and a thorough discussion and evaluation, including U2R, R2L, and probe attacks.

  2. https://www.linux-kvm.org.

  3. https://www.phpmyadmin.net.

  4. https://sourceforge.net/projects/lamahub/.

  5. http://xylos.wikidot.com/howto-linux-runxplico/.

  6. http://xylos.wikidot.com.

  7. https://tools.ietf.org/html/rfc854/.

  8. In DoS Land attacks, the attacker sends TCP SYN spoofed packets with the same source and destination IPs and ports. This attack causes the target machine to crash by sending replies to itself [48].

  9. In the DoS Pod the target machine is flooded with ICMP packets [20].

  10. The TCP flooding consists of sending floods of TCP packets to the victim.

  11. Flooding the HTTP server with HTTP requests at the application layer.

  12. Anoter HTTP-based DoS attach against the Apache service. Slowloris establishes multiple connections to the target server and keeps them open for as long as possible. As soon as the connections are open, Slowloris sends HTTP headers intended to overload the Web server [20].

  13. https://www.samba.org/.

References

  1. Ahmad, A., Idris, N.B., Kama, M.N.: Cloudids: cloud intrusion detection model inspired by dendritic cell mechanism. Int. J. Commun. Netw. Inf. Secur. (IJCNIS) 9(1), 1–5 (2017)

    Google Scholar 

  2. Alidoosti, M., Nowroozi, A., Nickabadi, A.: Evaluating the web-application resiliency to business-layer DoS attacks. ETRI J. 42, 433–445 (2020)

    Article  Google Scholar 

  3. Ambedkar, Ch., Kishore Babu, V.: Detection of probe attacks using machine learning techniques. Int. J. Res. Stud. Comput. Sci. Eng. (IJRSCSE) 2(3), 25–29 (2015)

  4. Barik, M.S., Sengupta, A., Mazumdar, C.: Attack graph generation and analysis techniques. Defence Sci. J. 66(6), (2016)

  5. Buragohain, C., Medhi, N.: Flowtrapp: an SDN based architecture for ddos attack detection and mitigation in data centers. In: 2016 3rd International Conference on Signal Processing and Integrated Networks (SPIN), pp. 519–524. IEEE, (2016)

  6. Chen, M.-H., Chang, P.-C., Jheng-Long, W.: A population-based incremental learning approach with artificial immune system for network intrusion detection. Eng. Appl. Artif. Intel. 51, 171–181 (2016)

    Article  Google Scholar 

  7. Chung, C.-J., Khatkar, P., Xing, T., Lee, J., Huang, D.: Nice: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Depend. Secure Comput. 10(4), 198–211 (2013)

    Article  Google Scholar 

  8. Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (ddos) attacks in SDN and cloud computing environments. IEEE Access 7, 80813–80828 (2019)

    Article  Google Scholar 

  9. Elhaj, M.M.K., Hamrawi, H., Suliman, M.M.A.: A multi-layer network defense system using artificial immune system. In: 2013 International Conference on Computing, Electrical and Electronics Engineering (ICCEEE), pp. 232–236. IEEE, (2013)

  10. Farid, D., Darmont, J., Harbi, N., Nguyen, H.H., Rahman, M.Z.: Adaptive network intrusion detection learning: attribute selection and classification. In: International Conference on Computer Systems Engineering (ICCSE 2009), p. TH60000, (2009)

  11. Fogel, D.B.: Evolutionary Computation: Toward a New Philosophy of Machine Intelligence. Wiley-IEEE Press (2005)

  12. Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: 1994 IEEE Computer Society Symposium on Research in Security and Privacy, 1994. Proceedings, pp. 202–212. Ieee, (1994)

  13. Fredj, O.B.: A realistic graph-based alert correlation system. Secur. Commun. Netw. 8(15), 2477–2493 (2015)

    Article  Google Scholar 

  14. Frigault, M., Wang, L.: Measuring network security using bayesian network-based attack graphs. In: Annual IEEE International Computer Software and Applications Conference, pp. 698–703. IEEE, (2008)

  15. Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., Vázquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)

    Article  Google Scholar 

  16. Gogoi, P., Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Packet and flow based network intrusion dataset. In: International Conference on Contemporary Computing, pp. 322–334. Springer, (2012)

  17. Halvaiee, N.S., Akbari, M.K.: A novel model for credit card fraud detection using artificial immune systems. Appl. Soft Comput. 24, 40–49 (2014)

    Article  Google Scholar 

  18. Hubballi, N., Suryanarayanan, V.: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 1–17 (2014)

    Article  Google Scholar 

  19. Igbe, O., Darwish, I., Saadawi, T.: Distributed network intrusion detection systems: an artificial immune system approach. In: 2016 IEEE First International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), pp. 101–106. IEEE, (2016)

  20. Imperva: Imperva incapsula, (2019). https://www.incapsula.com/

  21. Janeway Jr, C.A., Travers, P., Walport, M., Shlomchik, M.J.: The complement system and innate immunity. In: Immunobiology: The Immune System in Health and Disease. 5th edition. Garland Science, (2001)

  22. Jensen, F.V.: An Introduction to Bayesian Networks. UCL press London (1996)

  23. Jerne, N.K.: Towards a network theory of the immune system. Ann. Immunol. 125, 373–389 (1974)

    Google Scholar 

  24. Jeya, G.P., Ravichandran, M., Ravichandran, C.S.: Efficient classifier for r2l and u2r attacks. Int. J. Comput. Appl. 45(21), 29 (2012)

    Google Scholar 

  25. Jha, M., Acharya, R.: An immune inspired unsupervised intrusion detection system for detection of novel attacks. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp. 292–297. IEEE, (2016)

  26. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15, pp. 49–63. IEEE, (2002)

  27. Kalliola, A., Lee, K., Lee, H., Aura, T.: Flooding ddos mitigation and traffic management with software defined networking. In: 2015 IEEE 4th International Conference on Cloud Networking (CloudNet), pp. 248–254. IEEE, (2015)

  28. King, R.L., Russ, S.H., Lambert, A.B., Reese, D.S.: An artificial immune system model for intelligent agents. Fut. Gen. Comput. Syst. 17(4), 335–343 (2001)

    Article  Google Scholar 

  29. Kreutz, D., Ramos, F.M.V., Veríssimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)

    Article  Google Scholar 

  30. Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R., de Macedo, D.D.J.: A cyber-resilient architecture for critical security services. J. Netw. Comput. Appl. 63, 173–189 (2016)

    Article  Google Scholar 

  31. Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)

    Article  Google Scholar 

  32. Kwon, K., Ahn, S., Chung, J.W.: Network security management using arp spoofing. In: International Conference on Computational Science and Its Applications, pp. 142–149. Springer, (2004)

  33. Lei, J., Li, Z.: Using Network Attack Graph to Predict the Future Attacks. In: Second International Conference on Communications and Networking in China, pp. 403–407, (2007)

  34. Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68. IEEE, (2014)

  35. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: Analysis and results of the 1999 darpa off-line intrusion detection evaluation. In: International Workshop on Recent Advances in Intrusion Detection, pp. 162–182. Springer, (2000)

  36. Mahoney, M.V., Chan, P.K.: An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In: International Workshop on Recent Advances in Intrusion Detection, pp. 220–237. Springer, (2003)

  37. Massachusetts Institute of Technology. 1999 darpa intrusion detection evaluation data set, 2019. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-data-set/

  38. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(4), 262–294 (2000)

    Article  Google Scholar 

  39. Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Privacy 4(6), 85–89 (2006)

    Article  Google Scholar 

  40. Melo, R.V., de Macedo, D.D.J., Dantas, M.A.R., de Bona, L.C.E.: A novel immune detection approach enhanced by attack graph based correlation. In: 24th IEEE Symposium on Computers and Communications (ISCC). IEEE, (2019)

  41. Melo, R.V., Macedo, D.D.J.: A cloud immune security model based on alert correlation and software defined network. In: 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 52–57. IEEE, (2019)

  42. Moustafa, N., Slay, J.: Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In: Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1–6. IEEE, (2015)

  43. Moussaid, N.El., Toumanari, A., Azhari, M.El: Security analysis as software-defined security for SDN environment. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 87–92. IEEE, (2017)

  44. National Institute of Standards and Technology. National vulnerability database, (2019). https://nvd.nist.gov/

  45. Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security Symposium, p. 8. Baltimore, MD, (2005)

  46. Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Elsevier (2014)

  47. Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)

    Article  Google Scholar 

  48. Radware: Ddos warriors, (2019). https://security.radware.com/

  49. Ramakrishnan, S., Srinivasan, S.: Intelligent agent based artificial immune system for computer security-a review. Artif. Intell. Rev. 32(1–4), 13 (2009)

    Article  Google Scholar 

  50. Rammig, F., Stahl, K., Vaz, G.: A framework for enhancing dependability in self-x systems by artificial immune systems. In: 2013 IEEE 16th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC), pp. 1–10. IEEE, (2013)

  51. Ramos, F.M.V., Kreutz, D., Verissimo, P.: Software-defined networks: On the road to the softwarization of networking. Cutter IT journal, (2015)

  52. Roschke, S., Cheng, F., Meinel, C.: High-quality attack graph-based ids correlation. Logic J. IGPL 21(4), 571–591 (2013)

    Article  MathSciNet  Google Scholar 

  53. Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Computational Intelligence in Security for Information Systems, pp. 58–67. Springer, (2011)

  54. Seresht, N.A., Azmi, R.: MAIS-IDS: a distributed intrusion detection system using multi-agent AIS approach. Eng. Appl. Artif. Intell. 35, 286–298 (2014)

    Article  Google Scholar 

  55. Singh, R., Kumar, H., Singla, R.K., Ketti, R.R.: Internet attacks and intrusion detection system: A review of the literature. Online Inf. Rev. (2017)

  56. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the kdd cup 99 data set. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009, pp. 1–6. IEEE, (2009)

  57. University of California, Irvine. Kdd cup 1999 data, (2019). http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html/

  58. University of New Brunswick. Nsl-kdd dataset, (2019). http://www.unb.ca/cic/datasets/nsl.html/

  59. Vasudevan, A., Harshini, E., Selvakumar, S.: Ssenet-2011: a network intrusion detection system dataset and its comparison with kdd cup 99 dataset. In: 2011 Second Asian Himalayas International Conference on Internet (AH-ICI), pp. 1–5. IEEE, (2011)

  60. Viet, H.N., Van, Q.N., Trang, L.L.T., Nathan, S.: Using deep learning model for network scanning detection. In: Proceedings of the 4th International Conference on Frontiers of Educational Technologies, ICFET ’18, pp. 117–121, New York, NY, USA, (2018). Association for Computing Machinery

  61. Vishwakarma, R., Jain, A.K.: A survey of ddos attacking techniques and defence mechanisms in the iot network. Telecommun. Syst. 73(4), 3–25 (2020)

    Article  Google Scholar 

  62. Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 283–296. Springer, (2008)

  63. Yusof, R., Selamat, S.R., Sahib, S.: Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS Int. J. Comput. Sci. Netw. Secur. 8(9), 132–138 (2008)

    Google Scholar 

  64. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior) for the financial support. Last we would like to thank Bruno V. Melo for help designing the figures used in this paper.

Funding

Part of this study was funded by CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior).

Author information

Authors and Affiliations

  1. Department of Computer Science, Federal University of Sergipe (UFS), Aracaju, SE, Brazil

    Roberto Vasconcelos Melo

  2. Department of Information Science, Federal University of Santa Catarina (UFSC), Florianópolis, SC, Brazil

    Douglas D. J. de Macedo

  3. Computer Science and Software Engineering, Federal University of Pampa (UNIPAMPA), Alegrete, RS, Brazil

    Diego Kreutz & Mauricio Martinuzzi Fiorenza

  4. Department of Electrical Engineering, University of Naples Federico II, Naples, Campania, Italy

    Alessandra De Benedictis

Authors
  1. Roberto Vasconcelos Melo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Douglas D. J. de Macedo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Diego Kreutz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alessandra De Benedictis
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mauricio Martinuzzi Fiorenza
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Douglas D. J. de Macedo.

Ethics declarations

Conflict of interest

Author A has received research grants from CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior). Author A declares that he has no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Melo, R.V., de Macedo, D.D.J., Kreutz, D. et al. ISM-AC: an immune security model based on alert correlation and software-defined networking. Int. J. Inf. Secur. 21, 191–205 (2022). https://doi.org/10.1007/s10207-021-00550-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-021-00550-x

Keywords

Search

Navigation