Skip to main content

ALERT-ID: Analyze Logs of the Network Element in Real Time for Intrusion Detection

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7462)

Abstract

The security of the networking infrastructure (e.g., routers and switches) in large scale enterprise or Internet service provider (ISP) networks is mainly achieved through mechanisms such as access control lists (ACLs) at the edge of the network and deployment of centralized AAA (authentication, authorization and accounting) systems governing all access to network devices. However, a misconfigured edge router or a compromised user account may put the entire network at risk. In this paper, we propose enhancing existing security measures with an intrusion detection system overseeing all network management activities. We analyze device access logs collected via the AAA system, particularly TACACS+, in a global tier-1 ISP network and extract features that can be used to distinguish normal operational activities from rogue/anomalous ones. Based on our analyses, we develop a real-time intrusion detection system that constructs normal behavior models with respect to device access patterns and the configuration and control activities of individual accounts from their long-term historical logs and alerts in real-time when usage deviates from the models. Our evaluation shows that this system effectively identifies potential intrusions and misuses with an acceptable level of overall alarm rate.

Keywords

  • Intrusion Detection
  • Intrusion Detection System
  • Internet Service Provider
  • Threat Score
  • Provider Edge

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.P.: Computer security threat monitoring and surveillance. Technical Report James P Anderson Co Fort Washington Pa, p. 56 (1980)

    Google Scholar 

  2. Carrel, D., Grant, L.: The TACACS+ protocol (January 1997)

    Google Scholar 

  3. Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic application-layer protocol analysis for network intrusion detection. In: Proceedings of the 15th conference on USENIX Security Symposium, vol. 15. USENIX Association, Berkeley (2006)

    Google Scholar 

  4. Iglesias, J.A., Ledezma, A., Sanchis, A.: Creating User Profiles from a Command-Line Interface: A Statistical Approach. In: Houben, G.-J., McCalla, G., Pianesi, F., Zancanaro, M. (eds.) UMAP 2009. LNCS, vol. 5535, pp. 90–101. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  5. Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In: Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC 2003, pp. 234–247. ACM, New York (2003)

    CrossRef  Google Scholar 

  6. Li, Z., Xia, G., Gao, H., Tang, Y., Chen, Y., Liu, B., Jiang, J., Lv, Y.: Netshield: massive semantics-based vulnerability signature matching for high-speed networks. In: Proceedings of the ACM SIGCOMM 2010 Conference on SIGCOMM, SIGCOMM 2010, pp. 279–290. ACM, New York (2010)

    Google Scholar 

  7. Lunt, T.F., Jagannathan, R., Lee, R., Listgarten, S., Edwards, D.L., Neumann, P.G., Javitz, H.S., Valdes, A., Lunt, T.F., Jagannathan, R., Lee, R., Listgarten, S., Edwards, D.L., Neumann, P.G., Javitz, H.S., Valdes, A.: Ides: The enhanced prototype - a real-time intrusion-detection expert system. Tech. rep., SRI International, 333 Ravenswood Avenue, Menlo Park (1988)

    Google Scholar 

  8. Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing 7, 381–395 (2010)

    CrossRef  Google Scholar 

  9. Maronna, R., Martin, R., Yohai, V.: Robust statistics: theory and methods. Wiley series in probability and statistics. J. Wiley (2006)

    Google Scholar 

  10. Maxion, R.: Masquerade detection using enriched command lines. In: Proc. of 2003 International Conference on Dependable Systems and Networks, pp. 5–14 (June 2003)

    Google Scholar 

  11. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)

    CrossRef  Google Scholar 

  12. Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote authentication dial in user service, radius (2000)

    Google Scholar 

  13. Robertson, W., Maggi, F., Kruegel, C., Vigna, G.: Effective Anomaly Detection with Scarce Training Data. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2010)

    Google Scholar 

  14. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)

    Google Scholar 

  15. Salem, M.B., Stolfo, S.J.: A comparison of one-class bag-of-words user behavior modeling techniques for masquerade detection. Security and Communication Networks (2011)

    Google Scholar 

  16. Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS. The Internet Society (2009)

    Google Scholar 

  17. Stefan, A.: Intrusion detection systems: A survey and taxonomy. Technical Report 99(Technical report 99-15), 1–15 (2000)

    Google Scholar 

  18. Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: A survey. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 463–472. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chu, J., Ge, Z., Huber, R., Ji, P., Yates, J., Yu, YC. (2012). ALERT-ID: Analyze Logs of the Network Element in Real Time for Intrusion Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)