Abstract
To solve the contradiction between the trend of more distributed network architecture and the demanding for more centralized correlated analysis to detect more complicated attacks from Intrusion Detection System (IDS), we first proposed in this paper an IDS architecture framework, which could collect relevant detected alert data from distributed diverse IDSes into one or more centralized point(s), and then efficient correlation analysis would be processed on shared data, after that, the meaningful and supportive knowledge rules from analysis results were be generated and automatically pushed back to each subscribed local IDS on scheduled time or even in real time, so that local IDS could utilize these rules to analyze new coming traffic. We also defined the XML format for those knowledge rule information generated by our hacking behavior correlation algorithms. We then presented seven mathematical algorithms on correlated hacking behavior analysis. In order for local IDS to effectively measure the false positive possibility of a new coming alert, we introduced three different approaches using some data mining and statistic models, including 1-Rule, Bagging Method and Native Bayer Method. By applying these methods to utilize and analyze the collected correlated knowledge rules, we could derive quite good quality of true attack confidence value for each coming detected alert. We also developed a simulation program implementing all these correlation algorithms and all those data mining and statistic models. We simply tested these algorithms with MIT Lincoln Lab’s 1999 IDS evaluation data, and concluded that by utilizing these preliminary results, local IDS subscribed to this framework could derive a certain measurement of how confident an alarm is true attack in real time manner and even lower false positive rate if certain threshold applied.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Steven Hofmeyr, Stephanie Forrest, Patrik D’haeseleer “Distributed Network Intrusion Detection, An Immunological Approach”, Dept. of Computer Science, University of New Mexico, May 1999
Herve Debar, Ming-Yuh Huang, David J. Donahoo “Intrusion Detection Exchange Format Data Model”, Internet Engineering Task Force, IDWG, IBM Corp./The Boeing Company/AFIWC, March 2000
“Intrusion Alert Protocol-IAP”, Internet Engineering Task Force, IDWG, Gupta, Hewlett-Packard, March 2000
Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, “State of the Practice of Intrusion Detection Technologies”, Carnegie Mellon Software Engineering Insititute, Jan 2000
Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, Kumar Das, “The 1999 DARPA Off-Line Intrusion Detection Evaluation”, Lincoln Laboratory MIT, 2000
Ming-Yuh Huang, Thomas M. Wicks, “A Large-Scale Distributed Intrusion Detection Framework Baed on Attack Strategy Analysis”, The Boeing Company
Ian H. Witten, Eibe Frank, “Data Mining, Practical Machine Learning Tools and Techniques with Java Implementations”, University of Waikato, 2000. Morgan Kaufmann Publishers.
Y. Frank Jou, Shyhtsun Felix Wu, Fengmin Gong, W. Rance Cleaveland, Chandru Sargor, “Architecture Design of a Scalable Intrusion Detection System for the Emerging Network Infrastructure”, North Carolina State University, Apr 1997
Peter Mell, “Understanding the World of your Enemy with I-CAT (Internet-Categorization of Attacks Toolkit)”, NIST, Computer Security Division, May 1999
Robert A. Clyde, Drew Williams, “Enterprise-wide Intrusion Detection, A multi-tiered approach”, AXENT Technologies, Inc, 1998
Peter G. Neumann and Phillip A. Porras, “Experience with EMERALD o Date”, SRI International, 1999
Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, Jeff Rowe, Stuart G. Staniford-Chen, Raymond Yip, Dan Zerkle, “The Design of GrIDS: A Graph-Based Intrusion Detection System”, Jan 1999
Wenke Lee and Sal Stolfo. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security, November 2000
Tim Bass, “Multisensor Data Fusion for Next Generation Distributed Intrusion Detection Systems”, Silk Road & ERIM International, 1999
Salvatore J. Stolfo, Wei Fan, Wenke Lee, “Cost-based Modeling for Fraud and Intrusion Detection: Results from the JAM Project”, Columbia University, 1999
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, J., Lee, I. (2001). Measuring False-Positive by Automated Real-Time Correlated Hacking Behavior Analysis. In: Davida, G.I., Frankel, Y. (eds) Information Security. ISC 2001. Lecture Notes in Computer Science, vol 2200. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45439-X_36
Download citation
DOI: https://doi.org/10.1007/3-540-45439-X_36
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42662-2
Online ISBN: 978-3-540-45439-7
eBook Packages: Springer Book Archive