a heuristic approach for alert aggregation in intrusion detection system

7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System

1/6

Journal of Computer Applications (JCA)

ISSN: 0974-1925, Volume V, Issue 3, 2012

101

Abstract - Intrusion Detection System (IDS) is an

important protection mechanism for wireless

networks. It helps to identify suspicious attacks and

provide an alert. In IDS, alert aggregation is one of the

mandatory subtasks, in which alerts are grouped into

clusters. Based on the information provided by the

cluster head, alerts are aggregated and send to the

reaction layer. We proposed to introduce a new layer

between detection and alert aggregation layers namely

alert pre-processing layer. This layer filters the false

alerts by sending only the correct packets to the

destination and thus prevent suspicious one to proceed

further. We proposed this scheme for enhanceddetection and false alarm rates.

Index Terms Intrusion detection, alert aggregation, genetic

algorithm, backtracking.

I. INTRODUCTIONDue to the enormous and fast growth of computer networks,

varieties of attacks are grown accordingly. Intrusion

Detection System (IDS) is the system that identifies

different categories of attacks by different security

mechanisms and safeguards the system properties and

configuration including data. An IDS always analyze the

traffic entering into the network and differentiates betweentrue packet and attack. The system classifies the attack

identification methods into two general types: anomaly and

misuse detection. An Intrusion Detection (ID) system

collects and analyzes required information from various

components in a computer or network to identify possible

loopholes that makes the system insecure. An Intrusion

detection system is designed in such a way that gathers data

as normal or abnormal. Day by day ID systems are being

developed to minimize the increasing number of attacks on

significant sites and in different types of networks. Intrusion

detection is the action of separating both wanted and

unwanted traffic on a network or in a device. For differentnetwork configurations, many IDS technologies exist in the

present and increases further in the near future [1]. Currently,

several IDS are reliable in detecting various suspicious

actions by evaluating TCP/IP connections or log files, for

example. Whenever IDS finds the suspicious packet, it

creates an alert

Manuscript received 10/Sep/2012.

Manuscript selected 4/Oct/2012.

N.Anitha, Department of Information Technology, Kongu Engineering

College, Assistant Professor ,Perundurai. Tamil Nadu, India,

E-mail: [email protected]

S.Anitha, Department of Information Technology, Kongu Engineering

College, Assistant Professor, Perundurai. Tamil Nadu, India.


B.Anitha, Department of Information Technology, Kongu Engineering

College, Assistant Professor, Perundurai. Tamil Nadu, India.


which include source from where it is originated, target towhich it is send and category of attack. Even the single

intrusive action generated by a single intruder often allow

hundreds or thousands of alerts be created, which cause

incorrect action by the network. IDS focus only on detecting

the different types of attack by the attacker irrespective of

different ways of attack caused to the system. Increase in the

number of low rates of false alerts caused by a single attack

would damage the entire network in a severe manner [2]. Inorder to overcome this, IDS creates low level of abstraction

techniques to minimize the false alerts. The information from

single alert might be incorrect with high probability, so it is

very difficult for security expert to identify those groups of

alerts.

Low-level IDS may generate alerts with the use of firewall

etc.,. To avoid the overhead of alerts generated from single

attack, clustering those alerts is performed. Information

about the clustered alert is called as Meta-alert also

generated. The main motive is to minimize the number of

alerts originated for single attack instance without losing

important information which gives perfect clue for finding

the attack type but in turn false or redundant meta-alerts to a

certain degree is accepted.

Based on the principles of evolution and natural selection,

genetic algorithm works by using the model created from the

different problems of various domains. The modelresembles the chromosomes like structure and various

processes like selection, recombination and mutation takes

place. Genetic algorithm is used in computer security to find

the best result to a specific problem by compromising

certain parameters.

Selecting the number of chromosomes constitute

population in a random manner is the foremost step in the

genetic algorithm. The problem is solved using the

chromosome representation. Each chromosome positions

are encoded as bits, characters or numbers according to the

attribute requirement of the problem. During evolution, each

position of chromosomes say gene can be randomly changed

within specified range. Population is the set of chromosomesthat are present during the evolution stage. Each

chromosome is selected based on the evaluation function

goodness. Natural reproduction and mutation are simulated

using two basic operators crossover and mutation during

evaluation. Based on the fittest chromosomes, survival of

chromosomes and its combination is determined.

In our perspective, ideal IDS must know about the various

types of attack and attackers. In the existing system, a novel

technique called Generative Data Stream Modeling is used

for online alert aggregation and meta-alerts are generated

[2].In this paper, we make an important step towards

generation of meta-alerts by introducing a new layer

in-between detection and alert processing layer namely alert

pre-processing layer.

A Heuristic Approach for Alert Aggregation in

Intrusion Detection SystemN.Anitha

a,*, S.Anithab,1, B.Anitha

c,2


2/6

A Heuristic Approach for Alert Aggregation in Intrusion Detection System

102

Our approach has the following distinctive properties:

It is a genetic algorithm approach using heuristicmethods. Once the decision is raised based on the

suspicious alert, we generate the offspring such as false

positive (FP) and false negative (FN) functions.

It is a backtracking approach in which each observedfalse alert is prevented to proceed further into the

system.

The remainder of this paper is organized as follows: In Section IIreview of related work is presented. Section III describes the

proposed alert generation approach. Finally Section IV describes

the conclusion and future work.

II. REVIEW OF RELATED WORKSMost existing IDS are optimized to detect attacks with high

accuracy. However, they still have various disadvantages that

have been outlined in a number of publications and a lot of

work has been done to analyze IDS in order to direct future

research [3] .Besides others, one drawback is the large amount

of alerts produced some of which are redundant and

unnecessary. Alert aggregation approach which is at each pointin time based on probabilistic model of the current situation.

This system focuses on a structurally very similar so-called ID

agent.

Figure 1.Outline of the Layered Architecture of an ID Agent

The sensor layer provides the interface to the network and the

host on which the agent resides. Sensors acquire raw data from

both the network and the host, filter incoming data and extract

interesting and potentially valuable information which is

needed to construct an appropriate event. At the detection

layer, different detectors, e.g., classifiers trained with machine

learning techniques such as support vector machines (SVM) or

conventional rule-based systems such as Snort assess these

events and search for known attack signatures (misuse

detection) and suspicious behavior (anomaly detection). In

case of attack suspicion, they create alerts which are thenforwarded to the alert processing layer. Alerts may also be

produced by FW or the like. At the alert processing layer, the

alert aggregation module has to combine alerts that are

assumed to belong to a specific attack instance. Thus, so called

meta-alerts are generated. Meta-alerts are used or enhanced in

various ways, e.g., scenario detection or decentralized alert

correlation. An important task of the reaction layer is

reporting.[4]

In other words, with the alert aggregation moduleon which

we focus in this paperwe want to have a minimal number of

missing meta-alerts (false negatives) and we accept some false

meta alerts (false positives) and redundant meta-alerts in turn.With the creation of a new component, an appropriate meta-

alert that represents the information about the component in an

abstract way is created. Every time a new alert is added to a

component, the corresponding meta-alert is updated

incrementally, too. That is, the meta-alert evolves with the

component. Meta-alerts may be the basis for a whole set

further tasks:

Sequences of meta-alerts may be investigated further in

order to detect more complex attack scenarios.

Meta-alerts may be exchanged with other ID agents in order

to detect distributed attacks such as one-to many attacks.

Based on the information stored in the meta-alerts, reports

may be generated to inform a human security expert aboutthe ongoing attack situation.

Meta-alerts could be used at various points in time from the

initial creation until the deletion of the corresponding

component. For instance, reports could be generated

immediately after the creation of the component or which

could be more preferable in some cases a sequence of updated

reports could be created in regular time intervals. Another

example is the exchange of meta-alerts between ID agents: Due

to high communication costs, meta-alerts could be exchanged

based on the evaluation of their interestingness [6].

According to the task for which meta-alerts are used, they may

contain different attributes. Examples for those attributes are

aggregated alert attributes (e.g., lists or intervals of source

addresses or targeted service ports, or a time interval that marksthe beginning and the endif availableof the attack

instance), attributes extracted from the probabilistic model

(e.g., the distribution parameters or the number of alerts

assigned to the component), an aggregated alert assessment

provided by the detection layer (e.g., the attack type

classification or the classification confidence), and also

information about the current attack situation (e.g., the number

of recent attacks of the same or a similar type, links to attacks

originating from the same or a similar source).

The existing technique detects the attacks using rule set with

the help of Genetic Algorithm [7]. It develops rules R2L,

U2R, Probe, DoS attacks. The average performance of the

method is low detection rate. Another existing technique is acombination of fuzzy data mining procedures and Genetic

algorithm in identifying network anomalies and misuses.

The attributes of the network audit data are not recognized

accurately in the most of the existing Genetic Algorithm

based IDS. Though the features play a main role in Intrusion

Detection, the author introduces fuzzy numerical functions.

Another technique uses Genetic Algorithm to recognize the

best parameters of the fuzzy functions for choosing the

features of the related network [5]. The network anomalies

can be identified by applying multiple agent techniques and

Genetic Programming. The set of agents that establish the

network actions can be finding out by an agent, which

examines one parameter of the network audit data and

Genetic Programming. Several small independent agents

can be used in that technique which is an advantage and the

communication between the agents is a problem.


3/6



103

Another Proposed Genetic Algorithm technique [8] for

anomaly detection. Random digits were produced using

Genetic Algorithm. An entry value was produced at any

conviction value more than this threshold value was

classified as a malicious attack. The main drawback of this

approach was established the threshold value is more

difficult and high false alarm rate leading when used to

detect unknown or new attacks. One IDS tool that uses GAsto detect intrusions, and is available to the public is the

Genetic Algorithm as an Alternative Tool for security Audit

Trails Analysis (GASSATA). GASSATA finds among all

possible sets of known attacks, the subset of attacks that are

the most likely to have occurred in a set of audit data. Since

there can be many possible attack types, and finding the

optimal subset is very expensive to compute. GAs is used to

search efficiently. The population to be evolved consists of

vectors with a bit set for each attack that is comprised in the

data set. Crossover and mutation converge the population to

the most probable attacks.

This paper presents Genetic Algorithm and backtracking

algorithm which recognizes attack type connections. Thesetwo algorithms consider different features by duration,

protocol type, hot etc. in creating a rule set. The Genetic

Algorithm and backtracking algorithms in order to create a

set of rules which applied on Intrusion Detection System

classify different kinds of attacks. Our goal is to produce a

high detection rate and low false alarm rate for Denial

of Service (DoS), Root to Local (R2L), User to Root (U2R)

and Probe attacks. We mainly focus on introducing genetic

algorithm with backtracking to reduce the minimum number

of alerts as well as to handle the new types of attacks.

III.A HYBRID APPROACH FOR ALERTGeneration

In thealert pre-processing layer, novel approaches such asGenetic Algorithm and Backtracking is used. A Genetic

algorithm is essentially a type of search algorithm which is

used to solve a wide variety of problems. The goal of a

Genetic algorithm is to create optimal solutions to specific

problems. Potential solutions are encoded as a sequence of

bits, characters or numbers. This unit of encoding is called

a gene and the encoding sequence is known as a

chromosome. The GA begins with a set of these

chromosomes and an evaluation function that measures the

fitness of each chromosome. It uses reproduction such ascrossover and mutation to create new solutions which are

then evaluated

Figure 2.Proposed Layered Architecture of an ID Agent

Genetic algorithms are defined as a computational concept

inspired by the mechanics of natural evolution, including

survival of the fittest, reproduction and mutation In thestandard Genetic algorithm, an initial population of

individuals is generated at random or heuristically. In every

generation the individuals in the current population are

evaluated according to some predefined quality criterion

referred to as the fitness. Fitness is determined by the fitness

function. The fitness function takes a string and assigns a

relative fitness value to the string. Based on their fitness,

strings are selected as parents using selection operators .To

form a new generation or child, the strings are put together

and they reproduce through operators such as crossover and

mutation. The Genetic algorithm comes to a halt when the

determined fitness value is met or when variation ofindividuals from one generation to the next reaches a pre

specified level of stability.

First, an initial population of strings is created. Then the

individuals are selected iteratively according to the fitness.

Based on the fitness value of each string, strings which

comply with the fitness value are combined to make a new

generation that may be able to solve the problem. Initially

the process selects individuals referred to

as parents. The fit individuals of the new generation then

become parents. If a solution is found, then the loop

terminates, otherwise the loop starts from the individuals

selected from the new generation and continues until the

termination criteria are met.


4/6


104

False alerts dropped

Figure 3.The Simple Structure of the Proposed Model

The network traffic used for the GA is a pre-classified data

set that differentiates normal network connections from

anomalous ones. This pre-classified data set is manually

created by analyzing the data captured by the network

sniffer. The network sniffer is a program used to recordnetwork traffic without doing something harmful to the

network traffic. The data set includes the necessary

information to generate rules. This information includes the

source IP address, the destination IP address, the source

port, the destination port, the protocol used, and finally a

field indicating whether the specific connection indicates an

intrusion or not. The data set will include both normal and

anomalous network connections. A connection refers to an

entry in the dataset. If the connection is an intrusion, then it

will be indicated by the value true, and if it is not an

intrusion, it will be indicated by the value false. These

network connections in the dataset are, as stated before,

manually created. This is the initial phase of developing the

system using the GA. Once the GA is trained with the rules,

more network connections can be added to the dataset. This

means that the dataset will have to be updated by

administrators to add a new connection or to discard a

connection. Once the initial data set is created, the next

action is to create the rule set. By analyzing the dataset, rules

will be generated in the rule set. These rules will be in the

form of an if then format as follows.

if {condition} then {act}

The condition in the format above refers to the attributes in

the rule set that forms a network connection in the dataset, as

shown in table 1, such as source and destination IPaddresses, source and destination port numbers, protocol

used, and a field indicating the possibility of an intrusion.

Note that the condition will result in a true or false. The

act field in the if-then format above will refer to an action

once the condition is true, such as reporting an alert to the

system administrator. For example, a rule in the rule set can

be defined as follows:

if {the connection has the following information: source IP

address 150.165.13.1; destination IP address:

130.179.16.43; source port number: 25; destination port

number: 80; protocol used: IP} then {detect whether the

connection is an intrusion or not}

This rule will detect an intrusion because the source IPaddress 150.165.13.1 is recognized by the IDS as, for

example, a blacklisted address. Hence any service requested

from this address is rejected. Since the GA has to use such

rules to detect intrusions, such rules in the rule set will be

codified to the GA format in the GA rule set. Each rule will

be represented in the form of a chromosome in the GA. This

is carried out by extracting certain characteristics of the

attributes in the rule set into a GA format. As stated before

the GA uses the rules in the GA rule set which are encoded

as chromosomes to detect anomalous connections. The first

part of the GA will act as a search algorithm. In the initial

stage, only the search algorithm will beexecuted. This is tohelp the rules acquire values which are to be later used in the

fitness function, when the complete GA is executed. Initially

the search algorithm will match the rules with any

anomalous connections that occur on the network to detect

an intrusion. Each rule will carry values for the intrusions

that they have detected, and a value for a false alarm that the

rule produces. The initial values for the rule will be

initialized to zero. The rules will acquire these values when

the search algorithm is executed. Once the rules have

acquired the values, then the complete GA, which includes

the fitness function and mutation, is executed.

The second part of the GA is the fitness function. The fitness

function F determines whether a rule is good i.e. it

detects intrusions, or whether the rule is bad, i.e. it does not

detect intrusions. F is calculated for each rule. It will

depend on the following equation In the initial stage, this

equation will be used to determine the fitness function, but

future work will test and improve

the equation to make the GA more effective in selecting fit

individuals.

F = a / Ab / B

In the fitness function, a contains the value that the

specific rule carries for the number of correctly detected

intrusions. b contains the value that the specific rule carries

for the number of false alarms. A is calculated by addingthe value of the correctly detected intrusions from all the

rules. B is the total number of normal connections in the

dataset. A normal connection is not an intrusion, and is

indicated by the value false. When an intrusion occurs, it is

notified by the response mechanism. The response

mechanism is a popup window indicating the rule, and a

message notifying that an intrusion has occurred. When an

intrusion does not occur, but the response mechanism

confirms it as an intrusion, then it is considered as a false

alarm. When a rule pops up indicating an intrusion, but the

connection actually has not taken place, then it is a false

alarm. The network sniffer provides the information of

connections on the network. Hence, when an intrusion isdetected, the network sniffer will be executed to determine

whether it is an intrusion or a false alarm.

Simple generational genetic algorithm procedure:

1.Choose the initial population ofindividuals2..Evaluate the fitness of each individual in that

Population

3.Repeat on this generation until termination(time limit, sufficient fitness achieved, etc.):

1. Select the best-fit individuals for reproduction2. Breed new individuals through crossover and mutation

operations to give birth to offspring3. Evaluate the individual fitness of new individuals4. Replace least-fit population with new individuals

Genetic

Algorithm Rule

set

Learning

PhaseResponse

Testing Phase GeneticAlgorithm

classifier

Backtracked

True alerts
http://en.wikipedia.org/wiki/Populationhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Population


5/6



105

Algorithm for New Layer in Intrusion detection agent:

Formation of Rule set with Genetic Algorithm

Input: Production number, Binary String Set,

Range of Population, possibility of Crossover and

Mutation Output: Selected Features set

Simple generational genetic algorithm procedure:

1.Choose the initial population ofindividuals2. Evaluate the fitness of each individual in that

Population

3. Repeat on this generation until termination(time limit, sufficient fitness achieved, etc.):

1. Select the best-fit individuals for reproduction2. Breed new individuals through crossover and

mutation operations to give birth to offspring

3. Evaluate the individual fitness of new individuals4. Replace least-fit population with new individuals

Genetic algorithm procedure for Alert Generation:

1. Choose the initial population of alerts2. Evaluate the FP and FN of each alert in thatPopulation3. Repeat on this generation until termination

1. Select the appropriate attack for both FP

and FN

2. Generate offspring for best FP and FN

attack

3. Assign weight for the best offspring

4. Remove false alert and send the packet

to the destination[7]

The Algorithm first generates the initial population and

loads the network audit data. Then the initial population is

developed for a number of generations. In every creation,

the qualities of the rules are firstly calculated, and then

quantities of best-fit rules are selected. The training

procedure starts by arbitrarily generating an initial

population of rules (Step 1). Step 2 estimates the total

number of records in the audit data. Steps 3 compute the

fitness of each rule and select the best-fit rules into new

population. Step 4 estimates the rank selection of entities.

Step 5-7 apply the crossover and mutation operators to every

rule in the new population. Step 8 chooses the top best

chromosomes into new population. Finally, Step 9 verifies

and decides whether to stop the training process or to go into

the next generation to continue the development process

Algorithm for New Layer in Intrusion detection agent:

Formation of Rule set with Genetic Algorithm

Input: Production number, Binary String Set,

Range of Population, possibility of Crossover and

Mutation

Output: Selected Features set

Step 1) Random Population initialization

Step 2) Number of Training Set Records

Step 3) Estimate Fitness = f(a)/ f (sum)

Where f (a) is the fitness of individual a and f

is the entire fitness of all individualsStep 4) Rank Selection Rs(x) = s(x) / ssum

Where Rs(x) is probability of selection

individuals(x) is rank of individuals sum is sum of all fitness

values

Step 5) For New Population with chromosomes

Step 6) Chromosome is applied to crossover

Step 7) Chromosome is applied to mutation operator

Step 8) Choose new population with 60% of top best

chromosomesStep 9) Continue upto the number of generations

goto Step 3

A backtracking algorithm tries to build a solution to a

computational problem incrementally. Whenever the

algorithm needs to decide between two alternatives to the

next component of the solution, it simply tries both options

recursively.

Backtracking algorithm for false alert:

1.If P is a goal node, return success2.If P is a leaf node, return failure3.For each child C of P

3.1 Explore C

3.1.1. If C was successful, return Success

4.Return FailureIV.CONCLUSION AND FUTURE WORK

The Genetic Algorithm is a well suitable mechanism for

Intrusion Detection compared to enhanced C4.5 algorithm.

Obtain different classification rules for Intrusion Detection

through Genetic Algorithm. The proposed Genetic

Algorithm with backtracking presents the Intrusion

Detection System for detecting different types of attacks

with different Datasets. It will reduce the high detectionrate and low false alarm rate. Backtracking algorithm is for

increasing the efficiency of intrusion detection system. In

the future we will implement this idea to detect various

attacks such as DoS, R2L, U2R, Probe from KDDCUP99

Dataset.

REFERENCES

[1] S. Axelsson, Intrusion Detection Systems: A Survey andTaxonomy,Technical Report 99-15, Dept. of Computer Eng.,

Chalmers Univ.of Technology, 2000.

[2] T.Pietraszek, Alert Classification to Reduce False Positives inIntrusion Detection,, July 2006.

[3] A.Allen,Intrusion Detection Systems: Perspective, TechnicalReport DPRO-95367, Gartner, Inc., 2003.

[4] Alexander Hofmann, Online Intrusion Alert aggregation withGenerative Data Stream Modeling, Proc. IEEE Transactions on

Dependable and Secure Computing, pp. 282-294.

[5] S. Selvakani K, Rengan S Rajesh Integrated Intrusion Detection System Using SoftComputing, IJNS, Vol.10, No.2,pp.87-92, March 2010.

[6] Hofmann.A, I. Dedinski, B. Sick, and H. de Meer, A Novelty-DrivenApproach to Intrusion Alert Correlation Based on Distributed Hash

Tables, Proc. 12th IEEE Symp. Computers and Comm. (ISCC 07),

pp. 71-78, 2007.

[7] Dr. J.A. Chandula,Machine Learning Techniques for IntrusionDetection System, (IJCSIS) International Journal of Computer

Science and Information Security, Vol. 10,No.4, April 2012.

[8] Venter . H.S., An Approach to Implement a Network IntrusionDetection System using Genetic Algorithms Proceeding SAICSIT

'04 Proceedings of the 2004 annual research conference of the SouthAfrican institute of computer scientists and information

technologists on IT research in developing countries.
http://en.wikipedia.org/wiki/Populationhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Population


6/6


106

BIOGRAPHY

N.Anitha received B.E Degree in Information

Technology from Shri Angalamman College of

Engineering and Technology, Trichy in 2004 and

M.Tech Degree in Advanced IT from Bharathidhasan

University in 2006. From 2006 to 2008 she worked as

a Lecturer in the department of IT in Shri

Angalamman College of Engineering and Technology,

Trichy. Currently she is working as an AssistantProfessor in the Department of IT, Kongu Engineering College,

Perundurai. She has conducted various workshops and published several

papers in the area of Security. She has research interest towards Intrusion

Detection Techniques. She is a member of ISTE. E-mail:

[email protected]

S.Anitha received B.E Degree in Electronics and

Communication Engineering from Coimbatore Institute

of Engineering and Information Technology,

Coimbatore in 2006 and M.E Degree in Computer

Science and Engineering from Kongu Engineering

College in 2009. From 2009 to 2010 she worked as a

Lecturer in the department of IT, Velalar College of

Engineering and Technology. Currently she is working as an Assistant

Professor in the Department of IT, Kongu Engineering College,

Perundurai. She has conducted various workshops and published severalpapers in the area of Network Security. She is a member of ISTE.

E-mail:[email protected]

B.Anitha received B.E Degree in Computer Science

and Engineering from K.S.R College of Technology,

Erode in 2001 and M.E Degree in Computer Science

and Engineering from Kongu Engineering College in

2006. From 2007 to 2009 she worked as a Lecturer in

the department of Computer Science and Engineering

in Bannari Amman College of Engineering and

Technology, Sathyamangalam. Currently she is working as an Assistant

Professor in the Department of IT, Kongu Engineering College,

Perundurai. She has conducted various workshops and published several

papers in the area of Security Techniques. She has research interesttowards Intrusion Detection Techniques. She is a member of ISTE.


a heuristic approach for alert aggregation in intrusion detection system

Documents