Architecture Of Id Model With Alert Correlation

Published Date: 02 Nov 2017

CHAPTER 7

7.1 CONCLUSION

The Global network has brought dramatic alterations in the interaction between people, companies and government institutions. Moreover, global accessibility of global network has become everywhere. With high speed internet systems, considerable amounts of information can be transferred quickly between parties over the global network. Customers take these advances for granted until protection attacks cripple the global network. Attacks spread quickly through the same high speed internet systems that made the global network revolution possible. The price of these attacks to people, companies and government institutions has increased quickly as well. According to Trend Micro, malware attacks price global companies an estimated 55 billion dollars in losses in 2013, up from about 20 billion dollars in 2012.

In universities, scientists have suggested the global network and Supernet systems to provide a social media experimental bed for all school campuses to collaborate in the US with speeds greater than 1000’s of times faster than the currently installed system. Many scientists predict that Global network information program amount will improve from the 10 Gbps to the Tbps range. With this volatile increase in Global network ecommerce and the start of the terabit program on the prospect, protection experts must reassess present protection alternatives. Clearly, the critical task facing the Global network later on is launching trust and security. Many scientists argue that automated protection and detection is the only remedy for stopping fast-spreading worms such as the SQL Slammer and Code Red. Understanding the reality that traditional intrusion detection system have not modified sufficiently to new social media prototypes like wireless and mobile systems and nor have they updated to be eligible as provided by the high speed networks, this thesis recommends methods to deal with the risks provided by program based on denial-of-service attacks in such systems. Even though there have existed in recent attempts (Eskin et al 2001) to educate anomaly detection designs over noisy information, to the finest of our facts, the analysis provided in this dissertation is one of the first effort to explore the result of imperfect information sets on the anomaly detection procedure. This chapter describes the performance executed during this dissertation and emphasizes noteworthy accomplishments and possible extensions to the existing condition of the art.

7.1.1 Architecture of ID Model with Alert Correlation.

IDS have played a central role to effectively defend crucial computer networks against attackers. The state-of-the-art in CID research is presented. Recent research revealed the importance of using a combination of both signature and anomaly based IDS in a CID model. CIDS are classified into different categories based on the system architecture they adopt and alert correlation algorithms they use. A review of the different alert correlation techniques with some examples from researchers is presented. Alert correlation will, hence, be used to reduce the FAR and thus gives a high DR. Artificial intelligence techniques showed their ability to satisfy the growing demand of reliable and intelligent IDS. Their advantages, therefore, boost the performance of IDS. Fuzzy logic, on the other hand, helps smooth the abrupt separation of normal and abnormal data and produces more general rules, hence is expected to increase the flexibility and strength of IDS. Fuzzy logic also proved its applicability in establishing trust between different participants of a peer-to-peer system. Therefore, many classification approaches from artificial intelligence, computational intelligence or soft computing can be applied to improve detection accuracy and to reduce false positive errors as well. Thus, by using AI techniques, soft computing and fuzzy logic, a CID model, with a high DR and a low FAR, is proposed.

The close correlation among different IDS systems especially host-based and network-based IDS products are present. By appropriate correlation of the alerts from different IDS systems, we will be able to verify the occurrence of a certain attack. For instance, a network-based IDS detects a suspicious remote buffer-overflow attack to get shell access to a server machine. But due to its limitation, it does not know what is really going on inside that host after that. Meanwhile, a host-based IDS system deployed inside the same server detects a suspicious shell process and generates an alert. Therefore by correlating these alerts from the two different IDS products, the system security operator can further confirm that some remote shell access attack is in progress. Furthermore, since each IDS product has its own "blind" spots, a correlation can help to remove some of the false negatives.

7.1.2 Multi Layer Architecture Design

There is a need for collaborative intrusion detection and collaboration among intrusion detection and other network management systems. We proposed a collaborative architecture design, named as Multi Layer Architecture to coordinate multiple intrusion detection systems using various distributed smart agents, relevant information knowledge base and Collaborative work techniques used to cluster and merge alerts from multiple IDS products to achieve an indirect collaboration among them. By combining the strengths of the heterogeneous IDS products, alert correlation can also be used to verify the occurrence of certain attacks and eliminate some false negatives.

The collaborative intrusion detection and knowledge based alert estimation architecture presented in Multi Layer Architecture can be widely applied to the design of integrated intrusion detection products and related network security engineering applications, which will be more efficient and effective in terms of detecting real spiteful attacks. As of this thesis, the first two components in our prototype system have been already implemented. Our system was tested with a set of attacks and the results obtained were quite satisfactory.

7.1.3 Multi-Layered Alert Correlation Algorithm

An efficient alert correlation algorithm has the potential to improve the detection accuracy and reaction time for CIDS. A fully rationalized multilayered red alert connection for collective intrusion detection and filter algorithm to mine the intrusion patterns of interest from raw intrusion alerts was proposed. In comparison to a centralized correlate-and-filter algorithm, our evaluation using a real-world intrusion data set shows that our fully rationalized multilayered red alert approach reduces alert messages significantly with little degradation in detection accuracy in most attack scenarios. A global-scale experiment on over 100 ICE Lab nodes shows that our fully rationalized multilayered architecture is substantially more scalable than a centralized approach. To the best of our knowledge, this is the first large-scale evaluation of the trade-off in routing delay versus processing delay of a fully rationalized multilayered CIDS across the Global network.

7.1.4 Network Anomaly Detection with Incomplete Review Data

This study recommends a technique to identify intrusions when merely a division of the audit information is available. To achieve this objective, the recommended anomaly detection strategy incorporated a variety of components in a typical way to prevail over the restrictions of prior intrusion detections methods. To deal with the issue of Intrusion Detection in huge network bandwidth systems the following components were executed and experimented. Sampling for information declining: The solution to effective and price efficient Intrusion Detection in huge network bandwidth systems is executing a program that samples the inbound network traffic instead of challenging to parse and analyze all of it. From this perspective, in this research, a flexible sampling algorithm that uses the weighted least squares specialist to intensely alter the sampling amount depending on the prediction of accuracy. Outcomes have proven that evaluated to simple unique sampling, the suggested flexible sampling criteria executes well on unique, bursty information. Our replication results have proven that the suggested sampling strategy is efficient in sinking the variety of tested information while keeping the inherent features of the traffic network. Furthermore, the self-similar property of network traffic is demonstrated and the suggested sampling strategy maintains in the sampling procedure.

Lastly depending on the enhancements illustrated above, this research also suggests a novel a Intrusion Detection strategy that is capable of discovering anomalous and intrusive moves in the inbound network traffic which would be indicative of a program centered refusal of assistance attack when only a separated audit information is existing. Outcomes described above, have proven that the suggested program has maximum rate of detection even though only 75% of the audit information is present.

7.2 FUTUREWORK

With the ever more extensive deployment of protection systems, such as IDS, antivirus programs, firewall, the issue of alert examination has turn out to be very essential. In an attempt to construct the control and use of Intrusion Detection System more efficient and easier, to make IDS signals further precise in conditions of reflecting actual risks and accomplish protection creating conclusions in the presence of ongoing attacks, the perform in the field of IDS control and analysis of importance of information will be continued. More particularly, the following programs can be conceded out later on future work.

1. For future work, more consideration will be given to optimize the load distribution in the fully rationalized multilayered architecture.

2. A XML centered vulnerability and protection remedy reference system. Common Vulnerability Exposures (CVE) is a record or dictionary that indicates common names for publicly known information protection exposures and vulnerabilities. CVE do not recommend detailed protection remedy information concerning to the vulnerabilities listed. By offering a conventional XML based protection remedy reference system and vulnerability, it would accomplish the security declaration building process.

3. Mechanical artificial alert report creation. Reports on alert holding both artificial alerts offering a general image of once remote alerts and the protection alternatives depending on the predefined enterprise security strategy and contingency strategy will be generated. Alert mathematical data depending on the target, attack source, vulnerabilities, attack category and other useful information will also be measured or interviewed and suggested in graphical presentation.

4. Discovering the likelihood of using additional time sequence analyze other than mathematical strategy in alert correlation. Time sequence analysis is extensive used in many pastures such as earth quake research, prediction and economy. Causality test can be implemented in different ways. The feasibilities of other tests in alert correlation shall be researched. Finally, other mathematical methods, for example analysis of multi-variety, shall be studied in their programs in intrusion alert correlation.

5. Other programs comprise studying the Intrusion Detection systems in P2P methods, discovering attack tolerance methods etc. In short, this Multiple Layer Architecture is not a conclusion. It shall serve a kick off factor or springboard for our upcoming work in network security.

6. In the last two decades, Intrusion Detection methods have gradually developed from host and managing system-specific programs to distributed methods that involve a variety of operating-system. The difficulties that lie in front for the next creation of Intrusion Detection methods and more particularly, for anomaly detection methods are many. Over the decades, numerous methods, designs and full-fledged Intrusion Detection systems have been suggested and constructed in the commercial and analysis sectors. However, there is no globally acceptable conventional or measurement for evaluating an Intrusion Detection System. While the ROC curve has been extensively used to assess the precision of Intrusion Detection methods and analyze the tradeoff between the detection rate and the false positive rate, assessments depending on the ROC curve are often misleading and/or imperfect. Several new methods have been suggested to deal with this issue (Stolfo et al 2009). Nevertheless, a greater part of the suggested alternatives depends on limitations values (such as the price associated with each incorrect alarm or missed attack instance) that are challenging to find and are subjective to a particular system or network. Consequently, such analytics may lack the objectivity required to conduct a fair assessment of a given system. Therefore, one of the main difficulties is the expansion of a universal systematic methods and metrics used to fairly assess Intrusion Detection Systems.

A critical facet of Intrusion Detection, which has also been suggested as an assessment measurement (Shankar et al 2003), is the capacity of an Intrusion Detection System to protect itself from attacks. Attacks on Intrusion Detection Systems can obtain numerous types. As a particular example, believe an attacker transferring a huge variety of non-attack packets that are specifically crafted to activate many alarms inside an Intrusion Detection System, by this means crushing the human operator with false positives or crashing the alert procedures or exhibit tools. Finally, an increasing issue in today’s corporate systems is the risks provided by associates, viz., disgruntled workers. In a survey conducted by the US Secret Service and CERT of Carnegie Mellon University, states that 71% of members out of 1000 members reported that 29% of the attacks that they experienced were caused by associates. Respondents identified present or former workers and contractors as the second biggest cyber protection threat, preceded only by hackers. Organizing an Intrusion Detection System to identify domestic attacks is very challenging. The biggest task lies in generating a good rule set for discovering "internal" attacks or anomalies. Different system users require diverse degrees of accessibility to different services, servers and methods for their work, thus creating it extremely hard to define and produce user or system precise usage outlines. Even though there is several subsisting work in this area (Liu et al 2005), more analysis is required to find practical alternatives.