Automatic Rule Generation Based on Genetic Programming for Event Correlation
The widespread adoption of autonomous intrusion detection technology is overwhelming current frameworks for network security management. Modern intrusion detection systems (IDSs) and intelligent agents are the most mentioned in literature and news, although other risks such as broad attacks (e.g. very widely spread in a distributed fashion like botnets), and their consequences on incident response management cannot be overlooked. Event correlation becomes then essential. Basically, security event correlation pulls together detection, prevention and reaction tasks by means of consolidating huge amounts of event data. Providing adaptation to unknown distributed attacks is a major requirement as well as their automatic identification. This positioning paper poses an optimization challenge in the design of such correlation engine and a number of directions for research. We present a novel approach for automatic generation of security event correlation rules based on Genetic Programming which has been already used at sensor level.
KeywordsEvent Correlation Rule Generation Genetic Programming Network Security Management
Unable to display preview. Download preview PDF.
- 1.OSSIM: Open source security information management (2009), http://www.ossim.net/whatis.php
- 2.Center for Education and Research in information Assurance and Security of Purde University: CERIAS Security Seminar Archive - Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls, Center for Education and Research in information Assurance and Security of Purde University (March 2007)Google Scholar
- 3.Tjhai, G.: Intrusion detection system: Facts, challenges and futures (March 2007), http://www.bcssouthwest.org.uk/presentations/GinaTjhai2007.pdf
- 4.Rice, G., Daniels, T.: A hierarchical approach for detecting system intrusions through event correlation. In: IASTED International Conference on Communication, Network, and Information Security, Phoenix, USA (November 2005)Google Scholar
- 5.Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54–68 (2001)Google Scholar
- 6.Karg, D.: OSSIM Correlation engine explained (2004), http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf
- 7.Bitacora: System of centralization, management and exploitation of a company’s events, http://www.s21sec.com/productos.aspx?sec=34
- 9.Koza, J., Poli, R.: Introductory Tutorials in Optimization and Decision Support Techniques. Springer, Heidelberg (2005)Google Scholar
- 10.Tang, W., Cao, Y., Yang, X., So, W.: Study on adaptive intrusion detection engine based on gene expression programming rules. In: CSSE International Conference on Computer Science and Software Engineering, Wuhan, China (December 2008)Google Scholar
- 11.Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)Google Scholar
- 13.Luke, S., Panait, L., Balan, G., Paus, S., Skolicki, Z., Popovici, E., Sullivan, K., Harrison, J., Bassett, J., Hubley, R., Chircop, A.: A java-based evolutionary computation research system, http://cs.gmu.edu/~eclab/projects/ecj/
- 14.Debar, H., Curry, D., Feinstein, B.: Ietf rfc 4765 - the intrusion detection message exchange format (March 2007), www.ietf.org/rfc/rfc4765.txt