Skip to main content
SpringerLink
Log in

Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Included in the following conference series:

Abstract

Intrusion detection systems typically create large amounts of alerts, processing of which is a time consuming task for the user. This paper describes an application of exponentially weighted moving average (EWMA) control charts used to help the operator in alert processing. Depending on his objectives, some alerts are individually insignificant, but when aggregated they can provide important information on the monitored system’s state. Thus it is not always the best solution to discard those alerts, for instance, by means of filtering, correlation, or by simply removing the signature. We deploy a widely used EWMA control chart for extracting trends and highlighting anomalies from alert information provided by sensors performing pattern matching. The aim is to make output of verbose signatures more tolerable for the operator and yet allow him to obtain the useful information available. The applied method is described and experimentation along its results with real world data are presented. A test metric is proposed to evaluate the results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.P.: Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., Fort Washington, Pa 19034 (April 1980)

    Google Scholar 

  2. Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of Knowledge Discovery in Data and Data Mining, SIGKDD (2002)

    Google Scholar 

  3. Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi et al. [17], pp. 95–114

    Google Scholar 

  4. Morin, B., Debar, H.: Correlation of Intrusion Symptoms: an Application of Chronicles. In: Vigna et al. [18], pp. 94–112

    Google Scholar 

  5. Debar, H., Morin, B.: Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi et al. [17]

    Google Scholar 

  6. Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC2001) (December 2001)

    Google Scholar 

  7. Teoh, S.T., Ma, K.-L., Wu, S.F., Zhao, X.: A Visual Technique for Internet Anomaly Detection. In: Proceedings of IASTED Computer Graphics and Imaging, ACTA Press (2002)

    Google Scholar 

  8. Roberts, S.W.: Control Chart Tests Based On Geometric Moving Averages. Technometrics 1(3), 230–250 (1959)

    Article  Google Scholar 

  9. Ye, N., Vilbert, S., Chen, Q.: Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data. IEEE Transactions on Reliability 52(1), 75–82 (2003)

    Article  Google Scholar 

  10. Ye, N., Borror, C., Chang, Y.: EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes In Event Intensity. Quality and Reliability Engineering International 18, 443–451 (2002)

    Article  Google Scholar 

  11. Mahadik, V.A., Wu, X., Reeves, D.S.: Detection of Denial of QoS Attacks Based on χ2 Statistic and EWMA Control Chart, http://arqos.csc.ncsu.edu/papers.htm (February 2002)

  12. Mell, P., Hu, V., Lippman, R., Haines, J., Zissman, M.: An Overview of Issues in Testing Intrusion Detection Systems. NIST IR 7007, NIST CSRC - National Institute of Standards and Technology, Computer Security Resource Center (June 2003)

    Google Scholar 

  13. Debar, H., Dacier, M., Wespi, A.: A Revised Taxonomy of Intrusion- Detection Systems. Technical Report RZ 3176 (#93222), IBM Research, Zurich (October 1999)

    Google Scholar 

  14. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  15. Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna et al. [18], pp. 73–93

    Google Scholar 

  16. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. In: 2nd International Symposium on Recent Advances in Intrusion Detection, RAID 1999 (1999), Available online: http://www.raid-symposium.org/raid99/PAPERS/Manganaris.pdf

  17. Wespi, A., Vigna, G., Deri, L. (eds.): RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)

    MATH  Google Scholar 

  18. Vigna, G., Krügel, C., Jonsson, E. (eds.): RAID 2003. LNCS, vol. 2820. Springer, Heidelberg (2003)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. France Télécom R&D, Caen, France

    Jouni Viinikka & Hervé Debar

Authors
  1. Jouni Viinikka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Viinikka, J., Debar, H. (2004). Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation