IJNSA 03

A Novel Alert Correlation Technique for Filtering Network Attacks

Jane Kinanu Kiruki^1,3, Geoffrey Muchiri Muketha² and Gabriel Kamau¹

¹Department of Information Technology, Murang’a University of Technology, Kenya ²Department of Computer Science, Murang’a University of Technology, Kenya ³Department of Computer Science, Chuka University, Kenya

Abstract

An alert correlation is a high-level alert evaluation technique for managing large volumes of irrelevant and redundant intrusion alerts raised by Intrusion Detection Systems (IDSs).Recent trends show that pure intrusion detection no longer can satisfy the security needs of organizations. One problem with existing alert correlation techniques is that they group related alerts together without putting their severity into consideration. This paper proposes a novel alert correlation technique that can filter unnecessary and low impact alerts from a large volume of intrusion. The proposed technique is based on a supervised feature selection method that usesclass type to define the correlation between alerts. Alerts of similar class type are identified using a class label. Class types are further classified based on their metric ranks of low, medium and high level. Findings show that the technique is able detect and report high level intrusions

Keywords

Alert correlation, merging, classification, alert clustering, alert prioritization, pre-processing

1. Introduction

Network attacks have become more serious in recent years, forcing the deployment if appropriate security devices such as firewalls and Intrusion Detection Systems (IDSs). IDSs inspect network activity with the aim of identifying suspicious behaviour, and if found, report the same in the form of alerts. Two common methods for reporting intrusion alerts are onscreen or email. The onscreen method is slow and can only be accessed from a physical site while thee mail method is fast and can be accessed both internally and remotely, and with internet connectivity. With email alerting, the IDS is linked to mail Gateway to send alerts notifications during intrusions[1]. There are two common types of IDSs depending on the method employed for traffic inspection, namely, signature-based and anomaly-based IDSs. However, both types suffer from the problem of generating numerous unsorted, unverified, noisy and dirty alerts per day. Additionally, most of the alerts are false alerts resulting from non-existing intrusions thereby diminishing the value of interesting alerts.  Usually, analysts are overwhelmed with the voluminous alerts hence not likely to look at them until a sign is reported by other security means. This is because identifying interesting alerts and reporting network status is a laborious and challenging task[2][3].There is a need for a proactive network monitoring tool that can be used to continuously analyse network performance issues and bottlenecks.

To handle the problem at hand, we propose low-level and high-level alert evaluation operations. Low-level alert operations deal with each alert individually to enrich its attributes or assign a score to it based on the potential risk. High-level alert evaluation operations deal with groups of alerts and give an abstraction of each. The proposed approach is based on a supervised feature

selection method that uses similarity approach by class type. Metrics are used to rank the class types into low level, medium level and high level. A threshold is then used to eliminate variables less the set threshold hence low level alerts are discarded and high level intrusions are reported through short message services whenever encountered.

Results show an improved learning performance with better learning precision, lower computational time, and improved technique understand ability. However, the removal of irrelevant features help learn a better model, as irrelevant features confuse the learning system and cause memory and computation inefficiency [4].

The rest of this paper is structured as follows. Section 2 presents related work, section 3 presents our Methodology, section 4 presents the proposed alert correlation technique, section 5 presents the results, section 6 presents the discussion, and section 7presents the conclusions and future work.

1. Related Works

Alert correlation is a technique used to determine any association between alerts in relation to launched attacks. Alert correlation techniques have been classified into the following types: predefined attack scenarios-based approaches, similarity-based approaches, prerequisites and consequences-based approaches, and hybrid approaches. The main objective of these approaches is to categorize alerts and to reduce false positive ones [5][6].

Alert correlation has been further classified according to four criteria, namely, the number of information data sources, type of application domain, correlation methods and architecture [6-9].The number of information data sources can be single source or multiple source. Single source data has the advantage of its simplicity but fails to achieve optimal results from correlation. As such, it not the best solution for collaborative monitoring systems. Multiple data source has high cost mainly due to the heterogeneity of the different inputs but give better results than single data source. The type of application domain though versatile has mainly been employed in network management systems that aim at allowing operators to monitor the system by generating alerts for warning about problems in the network and has also been used in IT security to produce attack reports that capture a coherent view of the activity on the network or systems without losing security-relevant information and process control in manufacturing systems to identify the root cause of problems or process disturbances. Finally, Correlation methods have been classified as similarity-based, sequential-based and case-based while architecture has been classified as centralized, distributed and hierarchical.

Similarity based methods usually try to reduce the total number of similar alerts through clustering and aggregation. Researchers[7]have proposed a new alert correlation technique that works by extracting network flows. The technique was built without requiring pre-defined knowledge and pre-conditions to allow the discovery of new correlation relationships between alerts. The method used two-steps in analysing the feature of alert flows called low-level alert analysis and high level alert analysis. Analysed alerts were generated by the IDS system using Snort although other researchers [11] have proposed the use of a wide variety of sources of information in order to achieve the goals of alert correlation effectively and accurately.

Other related works include case based methods which rely on the presence of knowledge to signify well-defined scenarios. These methods try to correlate alerts based on known scenarios [8].They are efficient for solving well-known problems specifying a complete action plan or previously observed scenarios. However, it is not easy sometimes to exhaustively list all scenario templates and build a database containing a comprehensive set of problems solutions. In addition, time inefficiency may make them unusable in real-time alarm correlation.

Further, researchers [9] have proposed the prerequisite and consequence relationship technique, applies a sequential based correlation method that deals with the relationship between alerts based on pre and post conditions. The assumption is that previous alerts prepare for later ones. Advantages of sequential-based methods are that they are scalable, can potentially uncover the causal relationship between alerts, and are not restricted to known attack scenarios. However, correlation results may contain a large number of false correlations, this being for two possible reasons: either the logical predicates are not well configured or the quality of the sensor alerts is not adequate.

Other researchers used different methods to determine alert association. In[10],a combination of conditional rough entropy and knowledge granularity calculation to find important attributes and their weights was used. Alerts were aggregated based on weight similarity. However, the researcher did not use real-world attacks for better outcome hence current attacks cannot be captured.

In [11],statistical-based algorithms were used to store causal relationships between alerts and analyse their frequency of occurrence. The method also takes into consideration of the previous attack data to generate attack steps. The attacks relationship knowledge is used to correlate different attack stages. Computing the alert relationship using this algorithm is nearly impossible in cases where sensors are providing incomplete data.

In[12],the destination port and alert type are combined together as parameters for analysis. If two alerts with the destination pot and alert type occurred in sequence, they were grouped as similar alerts, otherwise grouped as different alerts. Time-lag based Sequence Splitting (TSS) and SPA Sequence Pruning Algorithm (SPA) was used. TSS was used to split long attack sequences while SPA was used to eliminate the duplicated sessions extracted by TSS. Graphs were generated from the results. However, it is not easy to interpret the intrusion sequence because the attack sequence was interfered with while filtering out some of the repetitive attack steps.

Sequence-based algorithms depend on preconditions which are the main determinants for a successful attack. This makes it hard for such algorithms to determine the relationship between attacks in an operational network since attack patterns cannot be determined before attacks happen. To solve this problem,[13] proposed the use of time prefix span algorithm in alert correlation. The algorithm reduced the datasets, used time sequence and time intervals between attacks which improved its efficiency. However, by reducing the datasets there is a challenge of maintaining data quality and accurate results[14].

1. Methodology

In this study, the quantitative approach based on simulation experiment is used due to its ability to use numbers and figures in data analysis and assignment of scores that measure distinct attributes. The research uses deductive logic to addresses the issues of improving the quality of alerts that are generated by multiple sensors. Data derived from the metrics in our previous research is used for further analysis to get rid of the redundant alerts. To do this, similarity-based clustering is used to detect redundancies and merge the alert cluster. A multi-level threshold is used that assist in classifying intrusions according to their severity and reporting high level intrusion using short message services whenever encountered.

• Data Collection

Low level, medium level and high level alerts from scored alert database composed of IDS, firewall and honey pot alerts was used. Alert attributes consist of several fields, including message field, class type, security identifier (SID)and alert identifier (ID) that provide information about the attack. An example is Id system Attack ET ATTACK RESPONSE Net User Command Response successful user 20170whereIdsystem Attack is the alert identifier, ET ATTACK RESPONSE Net User Command Response is the message and 2017025 is the SID. This information varies from one IDS product to another.

Three criteria were specified to determine the appropriate sample size, including the level of precision, the level of confidence or risk, and the degree of variability in the attributes being measured[15]. We determined our sample size using Yamane’s formula [16] as shown below.