Abstract
As an ANIDS (anomaly-based network intrusion detection system) or IDS (intrusion detection system) monitors network-wide traffic, it generates warning messages (i.e., alerts) that indicate attack or suspicious or legitimate events. Due to widespread deployment of IDSs, they may generate an overwhelming number of alerts with true alerts mixed with false alerts. So, management of such alerts is indeed necessary to get to the origin of an attack, so that survival measures may be taken at the earliest. This chapter focuses on alert management and network anomaly prevention techniques. Alert management contains several components, viz., alert clustering, alert merging, alert frequency, alert link, alert association, intention recognition, and alert correlation. However, network traffic anomaly prevention techniques include basic concepts of ANIPS (anomaly-based network intrusion prevention system), attack coverage, features of ANIPS, and selection of the right ANIPS for deployment. Finally, the chapter presents the pros and cons of both alert management and anomaly-based network intrusion prevention techniques.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AlienVault: Alienvault unified security management, data-sheet (2013). USM Appiliance
Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert prioritization in intrusion detection systems. In: NOMS 2008 – 2008 IEEE Network Operations and Management Symposium, pp. 33–40 (2008). doi:10.1109/NOMS.2008.4575114
Beng, L.Y., Ramadass, S., Manickam, S., Fun, T.S.: A survey of intrusion alert correlation and its design considerations. IETE Tech. Rev. 31(3), 233–240 (2014). doi:10.1080/02564602.2014.906864
Carey, N.: Correlations of heterogeneous IDS alerts for attack detection. Master’s thesis, Information Security Research Centre, Faculty of Information Technology, Queensland University of Technology, Australia (2004)
Carey, N., Clark, A., Mohay, G.: IDS Interoperability and Correlation Using IDMEF and Commodity Systems, pp. 252–264. Springer, Berlin/Heidelberg (2002). doi:10.1007/3-540-36159-6_22
Carter, E.: Intrusion prevention fundamentals: an introduction to network attack mitigation with IPS. Technical Report, Cisco Press (2006)
Cheung, S., Lindqvist, U., W Fong, M.: Modeling multistep cyber attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition (DISCEX III), pp. 284–292. Washington, DC (2003). http://www.sdl.sri.com/papers/cheung-lindqvist-fong-discex3-cr/
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC’01, pp. 22–31. IEEE Computer Society, Washington, DC (2001)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (2002). doi:10.1109/SECPRI.2002.1004372
Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks, pp. 197–216. Springer, Berlin/New York (2000)
Curry, D., Debar, H.: Intrusion detection message exchange format (2003).Http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt
Dain, O., Cunningham, R.K.: Fusing a Heterogeneous Alert Stream into Scenarios, pp. 103–122. Springer, Boston, MA (2002)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, RAID’00, pp. 85–103. Springer, London (2001)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1–2), 71–103 (2002)
Elshoush, H.T., Osman, I.M.: An improved framework for intrusion alert correlation. In: Proceedings of the World Congress on Engineering, London, vol. I, pp. 1–6 (2012)
Feng, C., Peng, J., Qiao, H., Rozenblit, J.: Alert fusion for a computer host based intrusion detection system. In: Proceedings of the 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems, pp. 433–440. IEEE Computer Society (2007)
Frias-Martinez, V., Stolfo, S.J., Keromytis, A.D.: Behavior-profile clustering for false alert reduction in anomaly detection sensors. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC’08, pp. 367–376. IEEE Computer Society, Washington, DC (2008). doi:10.1109/ACSAC.2008.30
Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection systems. In: Proceedings of the DARPA Information Survivability Conference amp; Exposition II, 2001. DISCEX’01, vol. 1, pp. 46–55 (2001). doi:10.1109/DISCEX.2001.932191
Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Secur. Priv. 1(1), 46–56 (2003). doi:10.1109/MSECP.2003.1176995
Hubballi, N., Suryanarayanan, V.: Review: false alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 1–17 (2014)
IETF IDWG: IETF intrusion detection working group, intrusion detection message exchange format (2004). http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur. 6(4), 443–471 (2003). doi:10.1145/950191.950192
Le, A., Al-Shaer, E., Boutaba, R.: On optimizing load balancing of intrusion detection and prevention systems. In: IEEE INFOCOM Workshops 2008, pp. 1–6 (2008). doi:10.1109/INFOCOM.2008.4544576
Lippmann, R., Webster, S., Stetson, D.: The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection, pp. 307–326. Springer, Berlin/Heidelberg (2002). doi:10.1007/3-540-36084-0_17
Maggi, F., Zanero, S.: On the use of different statistical tests for alert correlation - short paper. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07), Gold Goast, 05-07 Sept, pp. 167–177. Springer, Berlin/Heidelberg (2007)
Maggi, F., Zanero, S.: On the use of different statistical tests for alert correlation: short paper. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, RAID’07, pp. 167–177. Springer, Berlin/Heidelberg (2007)
McAfee: Advanced Correlation Engine (2017). http://www.mcafee.com/in/products/advanced-correlation-engine.aspx
Mirheidari, S.A., Arshad, S., Jalili, R.: Alert Correlation Algorithms: A Survey and Taxonomy, pp. 183–197. Springer, Berlin/New York (2013)
Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation, pp. 74–94. Springer, Berlin/Heidelberg/Zurich (2002)
Ollmann, G.: Intrusion prevention systems (IPS) destined to replace legacy routers. Netw. Secur. 03(11), 18–19 (2003)
Pietraszek, T.: Alert classification to reduce false positives in intrusion detection. Ph.D. thesis, Institut fur Informatik, Albert-Ludwigs-Universit, Germany (2006)
Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, RAID’02, pp. 95–114. Springer (2002)
Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data, pp. 73–93. Springer, Berlin/Heidelberg (2003)
Qin, X., Lee, W., Lewis, L., Cabrera, J.B.D.: Integrating intrusion detection and network management. In: Network Operations and Management Symposium, 2002. NOMS 2002. 2002 IEEE/IFIP, pp. 329–344 (2002). doi:10.1109/NOMS.2002.1015591
Ren, H., Stakhanova, N., Ghorbani, A.: An online adaptive approach to alert correlation. In: DIMVA’10: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Artificial Intelligence, pp. 153–172. Springer (2007)
Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 37:1–37:10. ACM, New York (2006). doi:10.1145/1501434.1501479
Sadoddin, R., Ghorbani, A.A.: Real-time alert correlation using stream data mining techniques. In: Proceedings of the Twenty-Third AAAI Conference on Artificial Intelligence, AAAI 2008, Chicago, 13–17 July 2008, pp. 1731–1737 (2008)
Sadoddin, R., Ghorbani, A.A.: An incremental frequent structure mining framework for real-time alert correlation. Comput. Secur. 28(3–4), 153–173 (2009). doi:10.1016/j.cose.2008.11.010
Siraj, A.: A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment. Ph.D. thesis, Mississippi State University, Mississippi (2006)
Stiawan, D., Abdullah, A.H., Idris, M.Y.: The trends of intrusion prevention system network. In: 2010 2nd International Conference on Education Technology and Computer, vol. 4, pp. 217–221 (2010). doi:10.1109/ICETC.2010.5529697
Stiawan, D., Abdullah, A.H., Idris, M.Y.: Characterizing network intrusion prevention system. Int. J. Comput. Appl. 14(1), 11–18 (2011)
Thurman, W., Fisher, M.: Chickens, eggs, and causality, or which came first? Am. J. Agric. Econ. 70(2), 237–244 (1998)
Tzur-David, S.: Network intrusion prevention systems: signature-based and anomaly detection. Ph.D. thesis, The Hebrew University of Jerusalem (2011)
Valdes, A., Skinner, K.: Adaptive, Model-Based Monitoring for Cyber Attack Detection, pp. 80–93. Springer, Berlin/Heidelberg (2000)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation, pp. 54–68. Springer, Berlin/Heidelberg (2001). doi:10.1007/3-540-45474-8_4
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004). doi:10.1109/TDSC.2004.21
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006). doi:10.1016/j.comcom.2006.04.001
Weinsberg, Y., Tzur-David, S., Dolev, D., Anker, T.: High performance string matching algorithm for a network intrusion prevention system (nips). In: 2006 Workshop on High Performance Switching and Routing, pp. 147–153 (2006). doi:10.1109/HPSR.2006.1709697
Yu, J.: TRINETR: an intrusion detection alert management and analysis system. Ph.D. thesis, West Virginia University, Morgantown, West Virginia (2004)
Zhang, X., Li, C., Zheng, W.: Intrusion prevention system design. In: The Fourth International Conference on Computer and Information Technology, CIT’04, pp. 386–390 (2004). doi:10.1109/CIT.2004.1357226
Zhou, J., Carlson, A., Bishop, M.: Verify results of network intrusion alerts using lightweight protocol analysis. In: 21st Annual Computer Security Applications Conference, pp. 1063–9527 (2005). doi:10.1109/CSAC.2005.62
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2017). Alert Management and Anomaly Prevention Techniques. In: Network Traffic Anomaly Detection and Prevention. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-65188-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-65188-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65186-6
Online ISBN: 978-3-319-65188-0
eBook Packages: Computer ScienceComputer Science (R0)