Skip to main content
SpringerLink
Log in

Alert Management and Anomaly Prevention Techniques

  • Chapter
  • First Online:
Network Traffic Anomaly Detection and Prevention

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

As an ANIDS (anomaly-based network intrusion detection system) or IDS (intrusion detection system) monitors network-wide traffic, it generates warning messages (i.e., alerts) that indicate attack or suspicious or legitimate events. Due to widespread deployment of IDSs, they may generate an overwhelming number of alerts with true alerts mixed with false alerts. So, management of such alerts is indeed necessary to get to the origin of an attack, so that survival measures may be taken at the earliest. This chapter focuses on alert management and network anomaly prevention techniques. Alert management contains several components, viz., alert clustering, alert merging, alert frequency, alert link, alert association, intention recognition, and alert correlation. However, network traffic anomaly prevention techniques include basic concepts of ANIPS (anomaly-based network intrusion prevention system), attack coverage, features of ANIPS, and selection of the right ANIPS for deployment. Finally, the chapter presents the pros and cons of both alert management and anomaly-based network intrusion prevention techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AlienVault: Alienvault unified security management, data-sheet (2013). USM Appiliance

    Google Scholar 

  2. Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert prioritization in intrusion detection systems. In: NOMS 2008 – 2008 IEEE Network Operations and Management Symposium, pp. 33–40 (2008). doi:10.1109/NOMS.2008.4575114

  3. Beng, L.Y., Ramadass, S., Manickam, S., Fun, T.S.: A survey of intrusion alert correlation and its design considerations. IETE Tech. Rev. 31(3), 233–240 (2014). doi:10.1080/02564602.2014.906864

    Article  Google Scholar 

  4. Carey, N.: Correlations of heterogeneous IDS alerts for attack detection. Master’s thesis, Information Security Research Centre, Faculty of Information Technology, Queensland University of Technology, Australia (2004)

    Google Scholar 

  5. Carey, N., Clark, A., Mohay, G.: IDS Interoperability and Correlation Using IDMEF and Commodity Systems, pp. 252–264. Springer, Berlin/Heidelberg (2002). doi:10.1007/3-540-36159-6_22

  6. Carter, E.: Intrusion prevention fundamentals: an introduction to network attack mitigation with IPS. Technical Report, Cisco Press (2006)

    Google Scholar 

  7. Cheung, S., Lindqvist, U., W Fong, M.: Modeling multistep cyber attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition (DISCEX III), pp. 284–292. Washington, DC (2003). http://www.sdl.sri.com/papers/cheung-lindqvist-fong-discex3-cr/

  8. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC’01, pp. 22–31. IEEE Computer Society, Washington, DC (2001)

    Google Scholar 

  9. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (2002). doi:10.1109/SECPRI.2002.1004372

  10. Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks, pp. 197–216. Springer, Berlin/New York (2000)

    Google Scholar 

  11. Curry, D., Debar, H.: Intrusion detection message exchange format (2003).Http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt

    Google Scholar 

  12. Dain, O., Cunningham, R.K.: Fusing a Heterogeneous Alert Stream into Scenarios, pp. 103–122. Springer, Boston, MA (2002)

    Google Scholar 

  13. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, RAID’00, pp. 85–103. Springer, London (2001)

    Google Scholar 

  14. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1–2), 71–103 (2002)

    Article  Google Scholar 

  15. Elshoush, H.T., Osman, I.M.: An improved framework for intrusion alert correlation. In: Proceedings of the World Congress on Engineering, London, vol. I, pp. 1–6 (2012)

    Google Scholar 

  16. Feng, C., Peng, J., Qiao, H., Rozenblit, J.: Alert fusion for a computer host based intrusion detection system. In: Proceedings of the 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems, pp. 433–440. IEEE Computer Society (2007)

    Google Scholar 

  17. Frias-Martinez, V., Stolfo, S.J., Keromytis, A.D.: Behavior-profile clustering for false alert reduction in anomaly detection sensors. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC’08, pp. 367–376. IEEE Computer Society, Washington, DC (2008). doi:10.1109/ACSAC.2008.30

  18. Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection systems. In: Proceedings of the DARPA Information Survivability Conference amp; Exposition II, 2001. DISCEX’01, vol. 1, pp. 46–55 (2001). doi:10.1109/DISCEX.2001.932191

  19. Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Secur. Priv. 1(1), 46–56 (2003). doi:10.1109/MSECP.2003.1176995

    Article  Google Scholar 

  20. Hubballi, N., Suryanarayanan, V.: Review: false alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 1–17 (2014)

    Article  Google Scholar 

  21. IETF IDWG: IETF intrusion detection working group, intrusion detection message exchange format (2004). http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt

  22. Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur. 6(4), 443–471 (2003). doi:10.1145/950191.950192

    Article  Google Scholar 

  23. Le, A., Al-Shaer, E., Boutaba, R.: On optimizing load balancing of intrusion detection and prevention systems. In: IEEE INFOCOM Workshops 2008, pp. 1–6 (2008). doi:10.1109/INFOCOM.2008.4544576

    Google Scholar 

  24. Lippmann, R., Webster, S., Stetson, D.: The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection, pp. 307–326. Springer, Berlin/Heidelberg (2002). doi:10.1007/3-540-36084-0_17

  25. Maggi, F., Zanero, S.: On the use of different statistical tests for alert correlation - short paper. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07), Gold Goast, 05-07 Sept, pp. 167–177. Springer, Berlin/Heidelberg (2007)

    Google Scholar 

  26. Maggi, F., Zanero, S.: On the use of different statistical tests for alert correlation: short paper. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, RAID’07, pp. 167–177. Springer, Berlin/Heidelberg (2007)

    Google Scholar 

  27. McAfee: Advanced Correlation Engine (2017). http://www.mcafee.com/in/products/advanced-correlation-engine.aspx

  28. Mirheidari, S.A., Arshad, S., Jalili, R.: Alert Correlation Algorithms: A Survey and Taxonomy, pp. 183–197. Springer, Berlin/New York (2013)

    Google Scholar 

  29. Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation, pp. 74–94. Springer, Berlin/Heidelberg/Zurich (2002)

    Google Scholar 

  30. Ollmann, G.: Intrusion prevention systems (IPS) destined to replace legacy routers. Netw. Secur. 03(11), 18–19 (2003)

    Article  Google Scholar 

  31. Pietraszek, T.: Alert classification to reduce false positives in intrusion detection. Ph.D. thesis, Institut fur Informatik, Albert-Ludwigs-Universit, Germany (2006)

    Google Scholar 

  32. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, RAID’02, pp. 95–114. Springer (2002)

    Google Scholar 

  33. Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data, pp. 73–93. Springer, Berlin/Heidelberg (2003)

    Google Scholar 

  34. Qin, X., Lee, W., Lewis, L., Cabrera, J.B.D.: Integrating intrusion detection and network management. In: Network Operations and Management Symposium, 2002. NOMS 2002. 2002 IEEE/IFIP, pp. 329–344 (2002). doi:10.1109/NOMS.2002.1015591

  35. Ren, H., Stakhanova, N., Ghorbani, A.: An online adaptive approach to alert correlation. In: DIMVA’10: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Artificial Intelligence, pp. 153–172. Springer (2007)

    Google Scholar 

  36. Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 37:1–37:10. ACM, New York (2006). doi:10.1145/1501434.1501479

  37. Sadoddin, R., Ghorbani, A.A.: Real-time alert correlation using stream data mining techniques. In: Proceedings of the Twenty-Third AAAI Conference on Artificial Intelligence, AAAI 2008, Chicago, 13–17 July 2008, pp. 1731–1737 (2008)

    Google Scholar 

  38. Sadoddin, R., Ghorbani, A.A.: An incremental frequent structure mining framework for real-time alert correlation. Comput. Secur. 28(3–4), 153–173 (2009). doi:10.1016/j.cose.2008.11.010

    Article  Google Scholar 

  39. Siraj, A.: A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment. Ph.D. thesis, Mississippi State University, Mississippi (2006)

    Google Scholar 

  40. Stiawan, D., Abdullah, A.H., Idris, M.Y.: The trends of intrusion prevention system network. In: 2010 2nd International Conference on Education Technology and Computer, vol. 4, pp. 217–221 (2010). doi:10.1109/ICETC.2010.5529697

  41. Stiawan, D., Abdullah, A.H., Idris, M.Y.: Characterizing network intrusion prevention system. Int. J. Comput. Appl. 14(1), 11–18 (2011)

    Google Scholar 

  42. Thurman, W., Fisher, M.: Chickens, eggs, and causality, or which came first? Am. J. Agric. Econ. 70(2), 237–244 (1998)

    Article  Google Scholar 

  43. Tzur-David, S.: Network intrusion prevention systems: signature-based and anomaly detection. Ph.D. thesis, The Hebrew University of Jerusalem (2011)

    Google Scholar 

  44. Valdes, A., Skinner, K.: Adaptive, Model-Based Monitoring for Cyber Attack Detection, pp. 80–93. Springer, Berlin/Heidelberg (2000)

    Google Scholar 

  45. Valdes, A., Skinner, K.: Probabilistic Alert Correlation, pp. 54–68. Springer, Berlin/Heidelberg (2001). doi:10.1007/3-540-45474-8_4

  46. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004). doi:10.1109/TDSC.2004.21

    Article  Google Scholar 

  47. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006). doi:10.1016/j.comcom.2006.04.001

    Article  Google Scholar 

  48. Weinsberg, Y., Tzur-David, S., Dolev, D., Anker, T.: High performance string matching algorithm for a network intrusion prevention system (nips). In: 2006 Workshop on High Performance Switching and Routing, pp. 147–153 (2006). doi:10.1109/HPSR.2006.1709697

  49. Yu, J.: TRINETR: an intrusion detection alert management and analysis system. Ph.D. thesis, West Virginia University, Morgantown, West Virginia (2004)

    Google Scholar 

  50. Zhang, X., Li, C., Zheng, W.: Intrusion prevention system design. In: The Fourth International Conference on Computer and Information Technology, CIT’04, pp. 386–390 (2004). doi:10.1109/CIT.2004.1357226

  51. Zhou, J., Carlson, A., Bishop, M.: Verify results of network intrusion alerts using lightweight protocol analysis. In: 21st Annual Computer Security Applications Conference, pp. 1063–9527 (2005). doi:10.1109/CSAC.2005.62

Download references

Author information

Authors and Affiliations

  1. Kaziranga University, Jorhat, India

    Monowar H. Bhuyan

  2. Tezpur University, Napaam, India

    Dhruba K. Bhattacharyya

  3. University of Colorado, Colorado Springs, Colorado, USA

    Jugal K. Kalita

Authors
  1. Monowar H. Bhuyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dhruba K. Bhattacharyya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jugal K. Kalita
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2017). Alert Management and Anomaly Prevention Techniques. In: Network Traffic Anomaly Detection and Prevention. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-65188-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65188-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65186-6

  • Online ISBN: 978-3-319-65188-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation