Abstract
Intrusion detection systems typically create large amounts of alerts, processing of which is a time consuming task for the user. This paper describes an application of exponentially weighted moving average (EWMA) control charts used to help the operator in alert processing. Depending on his objectives, some alerts are individually insignificant, but when aggregated they can provide important information on the monitored system’s state. Thus it is not always the best solution to discard those alerts, for instance, by means of filtering, correlation, or by simply removing the signature. We deploy a widely used EWMA control chart for extracting trends and highlighting anomalies from alert information provided by sensors performing pattern matching. The aim is to make output of verbose signatures more tolerable for the operator and yet allow him to obtain the useful information available. The applied method is described and experimentation along its results with real world data are presented. A test metric is proposed to evaluate the results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, J.P.: Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., Fort Washington, Pa 19034 (April 1980)
Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of Knowledge Discovery in Data and Data Mining, SIGKDD (2002)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi et al. [17], pp. 95–114
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: an Application of Chronicles. In: Vigna et al. [18], pp. 94–112
Debar, H., Morin, B.: Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi et al. [17]
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC2001) (December 2001)
Teoh, S.T., Ma, K.-L., Wu, S.F., Zhao, X.: A Visual Technique for Internet Anomaly Detection. In: Proceedings of IASTED Computer Graphics and Imaging, ACTA Press (2002)
Roberts, S.W.: Control Chart Tests Based On Geometric Moving Averages. Technometrics 1(3), 230–250 (1959)
Ye, N., Vilbert, S., Chen, Q.: Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data. IEEE Transactions on Reliability 52(1), 75–82 (2003)
Ye, N., Borror, C., Chang, Y.: EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes In Event Intensity. Quality and Reliability Engineering International 18, 443–451 (2002)
Mahadik, V.A., Wu, X., Reeves, D.S.: Detection of Denial of QoS Attacks Based on χ2 Statistic and EWMA Control Chart, http://arqos.csc.ncsu.edu/papers.htm (February 2002)
Mell, P., Hu, V., Lippman, R., Haines, J., Zissman, M.: An Overview of Issues in Testing Intrusion Detection Systems. NIST IR 7007, NIST CSRC - National Institute of Standards and Technology, Computer Security Resource Center (June 2003)
Debar, H., Dacier, M., Wespi, A.: A Revised Taxonomy of Intrusion- Detection Systems. Technical Report RZ 3176 (#93222), IBM Research, Zurich (October 1999)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna et al. [18], pp. 73–93
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. In: 2nd International Symposium on Recent Advances in Intrusion Detection, RAID 1999 (1999), Available online: http://www.raid-symposium.org/raid99/PAPERS/Manganaris.pdf
Wespi, A., Vigna, G., Deri, L. (eds.): RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)
Vigna, G., Krügel, C., Jonsson, E. (eds.): RAID 2003. LNCS, vol. 2820. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Viinikka, J., Debar, H. (2004). Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive