İsam Kareem THAJEEL, Osman Nuri UÇAN, Oğuz BAYAT

Improving IDSs Alerts To Improve High Quality Network Security By Using Data Mining Technique = Veri Madenciliği Tekniğini İle ID’ler Kullanarak Ağ Güvenliğinin Yüksek Kaliteli Hale Getirilmesi

AbstractIntrusion-Detection-Systems (IDSs) are the best and most effective techniques when it comes to addressing thethreats (such as malware and cyber-attacks etc.) being faced by computer networks; indeed, these systems havebeen used for more than 20 years. However, these systems generate a huge number of alerts, a large percentageof which are false or incorrect. This problem adversely affects the performance and effectiveness of network security.In this paper, we propose a new system to eliminate duplicated and redundant IDS alerts; the overall aimis to improve network security by minimizing the rate of false positive alarms. This system consists of two majorphases, as well as various sub-phases. The first phase involves removing duplicated alerts by applying a new filteringalgorithm which has been prepared for this purpose. The aim of the second phase is to reduce false alertsby eliminating the redundant alerts; this is achieved by applying association rules and mining frequent itemsetalgorithms. This system is evaluated and tested by using five weeks of data from the DARPA 99 dataset. The resultsshow that this system significantly reduces the number of FP alarms by 97.98%. These results also demonstratethe system’s substantial ability to reduce the very large number of false alarms related to IDSs.ÖzetSaldırı Tespit Sistemleri (IDS), bilgisayar ağları tarafından karşılaşılan tehditleri (kötü amaçlı yazılımlar ve siber saldırılargibi) ele almaya gelince en iyi ve etkili tekniklerdir; Gerçekten de, bu sistemler 20 yıldan fazla kullanılmaktadır. Bununlabirlikte, bu sistemler çok sayıda uyarı üretir; bunların büyük bir yüzdesi yanlış veya yanlıştır. Bu sorun, ağ güvenliğininperformansını ve etkililiğini olumsuz olarak etkiler. Bu yazıda, çoğaltılmış ve gereksiz IDS uyarılarını ortadankaldırmak için yeni bir sistem öneriyoruz; genel amaç, yanlış pozitif alarm oranını en aza indirerek ağ güvenliğini arttırmaktır.Bu sistemin yanı sıra çeşitli alt safhalar olmak üzere iki ana safhadan oluşur. Birinci aşamada, bu amaçla hazırlanmışyeni bir filtreleme algoritması uygulayarak çoğaltılan uyarıların kaldırılması gerekir. İkinci aşamada hedef,gereksiz uyarıları ortadan kaldırarak yanlış uyarıları azaltmaktır; bu ilişki kurallarını uygulayarak ve sık öğe seti algoritmalarınıkullanarak gerçekleştirilir. Bu sistem, DARPA 99 veri kümesindeki beş haftalık verileri kullanarak değerlendirilirve test edilir. Sonuçlar, bu sistemin FP alarm sayısını% 97.98 oranında önemli ölçüde düşürdüğünü göstermektedir.Bu sonuçlar, aynı zamanda, sistemin IDS’lerle ilgili çok sayıda yanlış alarmı azaltma kabiliyetini de göstermektedir

Keywords:

Threat Degree of Alerts, Alert Evaluation, Network Security, IDSs, False Positive (FP) Alert Ağ Güvenliği, IDS, Tehditler Derece Uyarıları,

PDF

___

McAfee Labs (2013). McAfee Labs Threats Report. available in “https://www.mcafee.com/us/resources/ reports”
Julisch, K. Dealing with false positives in intrusion detection. available in “ http://www.raid-symposium. org/”, 2000.
Axelsson, S. 1999. The base-rate fallacy and its implications for the difficulty of intrusion detection. In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security, 1–7, New York, NY, USA. ACM.
Manganaris, S., Christensen, M., Zerkle, D., & Hermiz, K. 2000. A data mining analysis of rtid alarms. Comput. Netw., 34(4), 571–577.
Julisch, K. (2003). Using root cause analysis to handle intrusion detection alarms PhD thesis, University of Dortmund (2003).
Pietraszek, T., ”Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection,” Recent Advances in Intrusion Detection: 7th International Symposium RAID 2004, pp. 102-124, September 2004.
Tjhai G. C. (2011). Anomaly-Based Correlation of IDS Alarms, PhD thesis, The University of Plymouth, UK.
Magi, F., Matteucci, M. & Zanero, S. (2009). Reducing false positives in anomaly detectors through fuzzy alert aggregation, Information Fusion. 10,300-311.
Adnan, A. H. (2009). Multithreaded scalable matching algorithm for intrusion detection system. University Sains Malaysia, PhD Thesis.
El-Taj, H., Abouabdalla, O., Manasrah, A., Al-Madi, A., Sarwar, M.I., & Ramadass, S. (2010). Forthcoming aggregating intrusion detection system alerts framework. In Emerging Security Information Systems and Technologies (SECURWARE), 2010 Fourth International Conference. 40-44. IEEE.
Alshammari, R., Sonamthiang, S., Teimouri, M., & Riordan, D. (2007). Using Neuro-Fuzzy Approach to Reduce False Positive Alerts, Communication Networks and Services Research, 2007. CNSR ‘07. Fifth Annual Conference on, 345-349. Doi:10.1109/CNSR.2007.70
Elshoush & Osman. (2011). Alert correlation in collaborative intelligent intrusion detection system-A survey . Applied Soft Computing Journal, 11, 4349-4365.
Hackmageddon.com, _Cyber attacks statistics,_ http://hackmageddon.com/2013-cyber-attacks-statistics/, Aug 2013.
Al-Mamory, S. O. & Zhang, H. (2010). New data mining technique to enhance IDS alarms quality, Journal in computer virology, Vol. 6, No. 1,43-55. Doi:10.1007/s11416-008-0104-2.
Mohiuddin Ahmed, Abdun Naser Mohmood, “Network Traffic Analysis based on Collective Anomaly Detection” 9th Conference on Industrial Electronics and Application ICIEA, 2014 IEEE,PIN: 978-1- 4799-4315-9/14.
Lippmann, R.,J. W. Haines, et al. (2000a).” The 1999 DRPA off-line intrusion detection evaluation”, Computer Networks-the International Journal of Computer and Telecommunications Networking 34(4): 579-595.
Lars Schmidt-Thieme, “Algorithmic Features of Eclat” Conference: FIMI’04, Proceedings of the IEEE ICDM Workshop on Frequent Itemsets Mining Implementation, Brighton, UK, November 1, 2004.
Khanchi, s.,& Adibnia, F.(2002). False alert reduction on network-based intrusion detection system by means of feature frequencies. Advances in Computing , Control, & Telecommunication Technologies, 2009. ACT ‘09. International conference on vol., no., 513,516,28-29 Dec.2009. doi: 10.1109/ACT. 2009.221
Kardi Teknomo. K-Means Clustering Tutorials. 2007”.http:\\people.revoledu .com\kardi\ tutorial\ kMean\”
Lior Rokach and Oded Maimon, Data Mining and Knowledge Discovery Handbook, Tell-Aviv University, 2005, pp 321-349.SPIN 11053125,11411963.