ABSTRACT

Alert aggregation is an important subtask of intrusion detection. The goal is to identify and to cluster different alerts produced by low-level intrusion detection systems, firewalls, etc. belonging to a specific attack instance which has been initiated by an attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that contain all the relevant information whereas the amount of data (i.e., alerts) can be reduced substantially. Meta-alerts may then be the basis for reporting to security experts or for communication within a distributed intrusion detection system. We propose a novel technique for online alert aggregation which is based on a dynamic, probabilistic model of the current attack situation. Basically, it can be regarded as a data stream version of a maximum likelihood approach for the estimation of the model parameters. With three benchmark data sets, we demonstrate that it is possible to achieve reduction rates of up to 99.96 percent while the number of missing meta-alerts is extremely low. In addition, meta-alerts are generated with a delay of typically only a few seconds after observing the first alert belonging to a new attack instance. Two types of intrusions are detected in this work: Firstly a spam attack is detected based on the blacklisted IP addresses from Stop Forum Spam and secondly packet level intrusion is detected based on KDDcup data. A packet sniffer is designed which keeps sniffing and extracting all the packets that are exchanged over internet interface. The packets are filtered and the headers are extracted. The headers are further subdivided into TCP, IP and UDP headers. ICMP packets are then separated. The data is matched with the database intrusion entries using fast string matching techniques and possible attack entries are marked with different color codes. An attack signature may be visible in any header of the same packet. In such cases, the alerts are aggregated and a single alert is generated. A signature can be mutated to multiple packets with similar signature. Such alerts are also combined to a single alert such that the amount of alert being generated is controlled and that only the signature of the attack is available with the attacker. Results shows that, adaptation of this technique can not only detect all the signatures with .02% false acceptance rate and .06% false rejection rate but at the same time can keep the total number of alerts down below 25% of the overall alerts being generated.

Keywords: - Alert aggregation, attacks, meta-alerts, packets, intrusion detection.