Automatic Rule Generation Based on Genetic Programming for Event Correlation

  • G. Suarez-Tangil
  • E. Palomar
  • J. M. de Fuentes
  • J. Blasco
  • A. Ribagorda
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 63)

Abstract

The widespread adoption of autonomous intrusion detection technology is overwhelming current frameworks for network security management. Modern intrusion detection systems (IDSs) and intelligent agents are the most mentioned in literature and news, although other risks such as broad attacks (e.g. very widely spread in a distributed fashion like botnets), and their consequences on incident response management cannot be overlooked. Event correlation becomes then essential. Basically, security event correlation pulls together detection, prevention and reaction tasks by means of consolidating huge amounts of event data. Providing adaptation to unknown distributed attacks is a major requirement as well as their automatic identification. This positioning paper poses an optimization challenge in the design of such correlation engine and a number of directions for research. We present a novel approach for automatic generation of security event correlation rules based on Genetic Programming which has been already used at sensor level.

Keywords

Event Correlation Rule Generation Genetic Programming Network Security Management 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    OSSIM: Open source security information management (2009), http://www.ossim.net/whatis.php
  2. 2.
    Center for Education and Research in information Assurance and Security of Purde University: CERIAS Security Seminar Archive - Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls, Center for Education and Research in information Assurance and Security of Purde University (March 2007)Google Scholar
  3. 3.
    Tjhai, G.: Intrusion detection system: Facts, challenges and futures (March 2007), http://www.bcssouthwest.org.uk/presentations/GinaTjhai2007.pdf
  4. 4.
    Rice, G., Daniels, T.: A hierarchical approach for detecting system intrusions through event correlation. In: IASTED International Conference on Communication, Network, and Information Security, Phoenix, USA (November 2005)Google Scholar
  5. 5.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54–68 (2001)Google Scholar
  6. 6.
    Karg, D.: OSSIM Correlation engine explained (2004), http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf
  7. 7.
    Bitacora: System of centralization, management and exploitation of a company’s events, http://www.s21sec.com/productos.aspx?sec=34
  8. 8.
    Fogel, L.J., Owens, A.J., Walsh, M.J.: Artificial Intelligence through Simulated Evolution. John Wiley, New York (1966)MATHGoogle Scholar
  9. 9.
    Koza, J., Poli, R.: Introductory Tutorials in Optimization and Decision Support Techniques. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Tang, W., Cao, Y., Yang, X., So, W.: Study on adaptive intrusion detection engine based on gene expression programming rules. In: CSSE International Conference on Computer Science and Software Engineering, Wuhan, China (December 2008)Google Scholar
  11. 11.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)Google Scholar
  12. 12.
    Mukkamala, S., Sung, A.H., Abraham, A.: Modeling intrusion detection systems using linear genetic programming approach. In: Orchard, B., Yang, C., Ali, M. (eds.) IEA/AIE 2004. LNCS (LNAI), vol. 3029, pp. 633–642. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Luke, S., Panait, L., Balan, G., Paus, S., Skolicki, Z., Popovici, E., Sullivan, K., Harrison, J., Bassett, J., Hubley, R., Chircop, A.: A java-based evolutionary computation research system, http://cs.gmu.edu/~eclab/projects/ecj/
  14. 14.
    Debar, H., Curry, D., Feinstein, B.: Ietf rfc 4765 - the intrusion detection message exchange format (March 2007), www.ietf.org/rfc/rfc4765.txt

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • G. Suarez-Tangil
    • 1
  • E. Palomar
    • 1
  • J. M. de Fuentes
    • 1
  • J. Blasco
    • 1
  • A. Ribagorda
    • 1
  1. 1.Department of Computer ScienceUniversity Carlos III of MadridLeganes

Personalised recommendations