Article

RAAS: a reliable analyzer and archiver for snort intrusion detection system

Authors:

Mahboobeh Soleimani,

Ehsan Khosrowshahi Asl,

Morteza Damanafshan,

Maghsoud AbbaspourAuthors Info & Claims

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

Pages 259 - 263

https://doi.org/10.1145/1244002.1244067

Published: 11 March 2007 Publication History

Abstract

One of the primary challenges in IDS alerts analysis is controlling and archiving the huge amount of alerts that have been triggered mainly in attack periods. We have developed a self-adaptive controlling mechanism which archives the Snort generated alerts in a well-formed abstracted format. An appropriate hashing technique along with a full-automated time-based hierarchical archiving approach has been used to reach this end. The developed system prevents the Snort database size to grow uncontrollably and unexpectedly. Results obtained from experiments and test cases show that especially in critical attack situations the system responds to queries well in a reasonable amount of time. The developed analyzer with new archiving approach is also able to compress the generated alerts effectively and generate statistical reports fast. The developed system is platform independent and can be deployed on mid-range servers and workstations. Also employing it does not require much degree of security expertise.

References

[1]

Abdullah, K., Lee, C., Conti, G., Copeland, J., and Stasko, J. IDS RainStorm: Visualizing IDS Alarms. IEEE Symposium on Information Visualization's Workshop on Visualization for Computer Security (VizSEC), October 2005.

Digital Library

[2]

ACID: Managing Alert Databases, Available at http://acidlab.sourceforge.net/acid_archive_instruct.html.

[3]

Analysis Console for Intrusion Detection. Available at http://acidlab.sourceforge.net/. August 2006.

[4]

archivePlus script. Available at http://ntsug.org/downloads/archivePlus.pl, August 2006.

[5]

Basic Analysis and Security Engine. Available at http://secureideas.sourceforge.net/. August 2006.

[6]

Beale, J. and Foster, J. C. Snort 2.0 Intrusion Detection. Syngress Publishing, 2003.

Digital Library

[7]

Bellare, M., and Kohno, T. Hash Function Balance and Its Impact on Birthday Attacks. EUROCRYPT '04, - LNCS Vol. 3027, Springer-Verlag, 2004.

[8]

Cora, G. and Purdie, L. Comprehensive Event Log Monitoring, white paper by InterSect Alliance, 2003.

[9]

Deleting Old Alerts in MySql Database. Available at http://www.snort.org/archive-5-1967.html, August 2006.

[10]

Hoagland J. A. and Staniford S. Viewing IDS Alerts: Lessons from SnortSnarf. In Proeedings of DARPA Information Survivability Conference and Ex-position, 2001.

[11]

Koike, H., Ohno, K. SnortView: visualization system of snort logs, In proceedings of the ACM workshop on Visualization and data mining for computer security, Washington DC, USA, pp. 143--147, 2004.

Digital Library

[12]

MySQL & ACID Issues, Available at http://www.mcabee.org/lists/snort-users/Mar-03/msg00378.html, August 2006.

[13]

Rehman, R. U. Intrusion Detection Systems with Snort. Prentice Hall PTR Upper Saddle River, New Jersey, pp. 180--187, 2003.

[14]

Roesch, M. Snort -- Lightweight Intrusion Detection for Networks. In Proceedings of 13th Usenix Systems and Administration Conference (LISA '99), November 1999.

Digital Library

[15]

Schaelicke, L., Geiger, M. R., Freeland, C. J. Imporving the Database Logging Performance of the Snort Network Intrusion Detection Sensor. Technical Report 03--10, Department of Computer Science and Engineering University of Notre Dame, 2003.

[16]

Script to cleanup ACID/Snort Alerts in MySQL DB. Available at http://marc.theaimsgroup.com/?l=snort-users&m=104941480228554&w=2, August 2006.

[17]

Snort Alerts Database Purging Script. Available at http://gaia.ecs.csus.edu/~bhatian/, August 2006.

[18]

Snort Forums Archive (BASE/ACID time out issue). Available at http://www.snort.org/archive-7-389.html. August 2006.

[19]

Snort IDS. Available at http://www.snort.org/. August 2006.

[20]

Soleimani, M., Behzadi, A., and Abbaspour, M. A fast and reliable IDS analyzer. In Proceedings of 14th Iranian Conference on Electrical Engineering (ICEE'06). Tehran, Iran. May 2006.

Cited By

Toland TKollmannsperger SBrewton JCraft W(2017)Using Sports Plays to Configure Honeypots Environments to form a Virtual Security ShieldComputer and Network Security Essentials10.1007/978-3-319-58424-9_11(189-204)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_11
Meng YKwok L(2013)Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion DetectionInternational Journal of Computational Intelligence Systems10.1080/18756891.2013.8021146:4(626-638)Online publication date: Aug-2013
https://doi.org/10.1080/18756891.2013.802114
Meng YKwok L(2012)A case study: Intelligent false alarm reduction using fuzzy if-then rules in network intrusion detection2012 9th International Conference on Fuzzy Systems and Knowledge Discovery10.1109/FSKD.2012.6233768(505-509)Online publication date: May-2012
https://doi.org/10.1109/FSKD.2012.6233768
Show More Cited By

Index Terms

RAAS: a reliable analyzer and archiver for snort intrusion detection system

Recommendations

Self Tuning IDS for Changing Environment
CICN '14: Proceedings of the 2014 International Conference on Computational Intelligence and Communication Networks

Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems or network resources by both system insiders and external penetrators. The proliferation of heterogeneous computer networks provides additional ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A survey and taxonomy of techniques used for alerts of Intrusion Detection Systems
BDIoT '19: Proceedings of the 4th International Conference on Big Data and Internet of Things

Over the years, Intrusion detection systems IDSs have evolved to handle many types of threats. Nowadays, network security administrators expect IDSs to monitor networks and hosts and identify suspicious activities. IDSs must be configured to recognize ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

March 2007

1688 pages

ISBN:1595934804

DOI:10.1145/1244002

Conference Chairs:
Yookun Cho
Seoul National University, Seoul, Korea
,
Roger L. Wainwright
University of Tulsa, Tulsa, Oklahoma
,
Hisham M. Haddad
Kennesaw State University, Kennesaw, Georgia
,
Sung Y. Shin
South Dakota State University, Brookings, South Dakota
,
Program Chair:
Yong Wan Koo
The University of Suwon, Gyeongggi-do, Korea

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 March 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC07

Sponsor:

SIGAPP

SAC07: The 2007 ACM Symposium on Applied Computing

March 11 - 15, 2007

Seoul, Korea

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
576
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Toland TKollmannsperger SBrewton JCraft W(2017)Using Sports Plays to Configure Honeypots Environments to form a Virtual Security ShieldComputer and Network Security Essentials10.1007/978-3-319-58424-9_11(189-204)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_11
Meng YKwok L(2013)Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion DetectionInternational Journal of Computational Intelligence Systems10.1080/18756891.2013.8021146:4(626-638)Online publication date: Aug-2013
https://doi.org/10.1080/18756891.2013.802114
Meng YKwok L(2012)A case study: Intelligent false alarm reduction using fuzzy if-then rules in network intrusion detection2012 9th International Conference on Fuzzy Systems and Knowledge Discovery10.1109/FSKD.2012.6233768(505-509)Online publication date: May-2012
https://doi.org/10.1109/FSKD.2012.6233768
Xiaohui Cui Beaver JPotok TLi Yang (2011)Visual Mining Intrusion Behaviors by Using Swarm Technology2011 44th Hawaii International Conference on System Sciences10.1109/HICSS.2011.486(1-7)Online publication date: Jan-2011
https://doi.org/10.1109/HICSS.2011.486
Katipally RGasior WCui XYang L(2010)Multistage attack detection system for network administrators using data miningProceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research10.1145/1852666.1852722(1-4)Online publication date: 21-Apr-2010
https://dl.acm.org/doi/10.1145/1852666.1852722
Dasireddy SGasior WCui XYang L(2010)Alerts visualization and clustering in network-based intrusion detectionProceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research10.1145/1852666.1852712(1-4)Online publication date: 21-Apr-2010
https://dl.acm.org/doi/10.1145/1852666.1852712
Yan-song WHua SXue-min LJun LSong-bo G(2010)Optimal Allocation of the Active Filters Based on the Tabu Algorithm in Distribution Network2010 International Conference on Electrical and Control Engineering10.1109/iCECE.2010.351(1418-1421)Online publication date: Jun-2010
https://doi.org/10.1109/iCECE.2010.351
Yang LGasior WKatipally RCui X(2010)Alerts Analysis and Visualization in Network-based Intrusion Detection Systems2010 IEEE Second International Conference on Social Computing10.1109/SocialCom.2010.120(785-790)Online publication date: Aug-2010
https://doi.org/10.1109/SocialCom.2010.120
Cui XBeaver JPotok T(2010)Swarm-Based Knowledge Discovery for Intrusion Behavior Discovering2010 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery10.1109/CyberC.2010.56(270-275)Online publication date: Oct-2010
https://doi.org/10.1109/CyberC.2010.56
García-Teodoro PMunoz-Feldstedt PRuete-Zuniga D(2010)Automatic Signature Generation for Network Services through Selective Extraction of Anomalous ContentsProceedings of the 2010 Sixth Advanced International Conference on Telecommunications10.1109/AICT.2010.22(370-375)Online publication date: 9-May-2010
https://dl.acm.org/doi/10.1109/AICT.2010.22
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten