Alert correlation in collaborative intelligent intrusion detection systems - A survey

Applied Soft Computing Journal

Volumn 11, Issue 7, 2011, Pages 4349-4365

  Elshoush, Huwaida Tagelsir ^a   Osman, Izzeldin Mohamed ^b  

^a UNIVERSITY OF KHARTOUM   (Sudan)

^b SUDAN UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Sudan)

Author keywords

Alert correlation; Collaborative intrusion detection; Computational intelligence approaches; False positive analysis

Indexed keywords

COMPUTER ARCHITECTURE; COMPUTER CRIME; DAMAGE DETECTION; DISTRIBUTED COMPUTER SYSTEMS; FUZZY LOGIC; SOFT COMPUTING;

ALERT CORRELATION; COLLABORATIVE INTRUSION DETECTION SYSTEM; FALSE POSITIVE; INTELLIGENT INTRUSION DETECTION SYSTEMS; INTRUSION DETECTION METHOD; INTRUSION DETECTION SYSTEMS; ISSUES AND CHALLENGES; SYSTEM ARCHITECTURES;

INTRUSION DETECTION;

EID: 79960556588     PISSN: 15684946     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.asoc.2010.12.004     Document Type: Article

References (71)

1. S.O. Al-Mamory, and H. Zhang Intrusion detection alarms reduction using root cause analysis and clustering Computer Communications 32 2009 419 430
2. F. Autrel, and F. Cuppens Using an intrusion detection alert similarity operator to aggregate and fuse alerts Proceedings of the 4th Conference on Security and Network 2005
3. M.A. Aydin, A.H. Zaim, and K.G. Ceylan A hybrid intrusion detection system design for computer network security Computers and Electrical Engineering 35 2009 517 526
4. S.M. Bridges, R.B. Vaughn, Intrusion detection via fuzzy data mining, Accepted for Presentation at The Twelfth Annual Canadian Information Technology Security Symposium, The Ottawa Congress Centre, June 19-23, 2000.
5. M. Cai, K. Hwang, Distributed aggregation schemes for scalable peer-to-peer and grid computing, IEEE Transactions on Parallel and Distributed Systems (TPDS) (2006).
6. V. Chandola, A. Banerjee, and V. Kumar Anomaly detection: a survey ACM Computing Surveys 41 July (3) 2009 Article 15
7. F. Cuppens, Managing alerts in a multi-intrusion detection environment, in: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), December 2001.
8. F. Cuppens, A. Miege, Alert correlation in a cooperative intrusion detection framework, in: Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society, Berkeley, California, USA, May 2002, p. 202
9. F. Cuppens, F. Autrel, A. Miege, S. Benferhat, Recognizing malicious intention in an intrusion detection process, in: Second International Conference on Hybrid Intelligent Systems, Santiago, Chili. Special session: "Hybrid Intelligent Systems for Intrusion Detection", December 2002.
10. O. Dain, and R.K. Cunningham Fusing a heterogeneous alert stream into scenarios Proceedings of the ACM CCS Workshop on Data Mining for Security Applications Barbar and Jajodia, USA 2001
11. K. Das, Protocol anomaly detection for network-based intrusion detection, GSEC Practical Assignment Version 1.2f SANS Institute 2002, August 2001.
12. H. Debar, and A. Wespi Aggregation and correlation of intrusion-detection alerts Proceedings of the 4th International Symposium on Recent Advances in Intrusion detection (RAID) 2001 Springer Verlag California, USA 85 103 (Pubitemid 33352002)
13. O. Depren, M. Topallar, E. Anarim, and M.K. Ciliz An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks Expert Systems with Applications 29 2005 713 722 (Pubitemid 41394445)
14. X.D. Hoang, J. Hu, and P. Bertok A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference Journal of Network and Computer Applications 32 2009 1219 1228
15. M. Hussein, M. Zulkernine, Intrusion detection aware component-based systems: a specification-based framework, School of Computing, Queen's University, Kingston, Ont., Canada K7L 3N6, 27, The Journal of Systems and Software 80 (2007) 700-710.
16. K. Hwang, H. Liu, Y. Chen, Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems, November 2004.
17. K. Hwang, M. Cai, Y. Chen, M. Qin, Hybrid intrusion detection with weighted signature generation over anomalous internet episodes, IEEE Transactions on Dependable and Secure Computing 4 (1) (2007).
18. N.Y. Jan, S.C. Lin, S.S. Tseng, and N.P. Lin A decision support system for constructing an alert classification model Expert Systems with Applications 36 2009 11145 11155
19. W. Jansen, Directions in security metrics research, National Institute of Standards and Technology (NIST), March 2009.
20. K. Julisch, Mining alarm clusters to improve alarm handling efficiency, in: 17th Annual Computer Security Applications Conference (ACSAC), December 2001, pp. 12-21.
21. K. Julisch, and M. Dacier Mining intrusion detection alarms for actionable knowledge The 8th ACM International Conference on Knowledge Discovery and Data Mining July 2002
22. S. Katti, B. Krishnamurthy, D. Katabi, Collaborating Against Common Enemies, USENIX Association, Internet Measurement Conference 2005, October 2005, pp. 365-378.
23. J. Luo, Integrating fuzzy logic with data mining methods for intrusion detection, MSc Thesis, Mississippi State University, Department of Computer Science, August 1999.
24. F. Maggi, M. Matteucci, and S. Zanero Reducing false positives in anomaly detectors through fuzzy alert aggregation Information Fusion 10 2009 300 311
25. B. Morin, L. Me, H. Debar, and M. Ducasse M2D2: a formal data model for IDS alert correlation Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002) 2002 115 137
26. B. Morin, H. Debar, Correlation of intrusion symptoms: an application of chronicles, in: G. Vigna, E. Jonsson, C. Krgel (Eds.), Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID2003), Lecture Notes in Computer Science, vol. 2820, Springer, September 2003, pp. 94-112.
27. B. Morin, L. Me, H. Debar, M. Ducasse, M4D4: A Logical Framework to Support Alert Correlation in Intrusion Detection, Elsevier Ltd., January 2008.
28. B. Morin, L. M, H. Debar, M. Ducass, A logic-based model to support alert correlation in intrusion detection, Information Fusion 10 (2009) 285-299.
29. P. Ning, S. Jajodia, X.S. Wang, Abstraction-based intrusion detection in distributed environments, CM Transaction on Information and System Security (TISSEC) 4 (4) (2001) 407-452.
30. P. Ning, D. Xu, Adapting query optimization techniques for efficient intrusion alert correlation, Technical report, NCSU, Department of Computer Science, 2002.
31. P. Ning, D.S. Reeves, Y. Cui, An Intrusion Alert Correlator based on Prerequisites of Intrusions, Technical Report TR-2002-01, North Carolina State University, Department of Computer Science, 2002.
32. P. Ning, Y. Cui, D.S. Reeves, Analyzing intensive intrusion alerts via correlation, in: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Springer Verlang, Zurich, Switzerland, October 2002, pp. 74-94.
33. P. Ning, Y. Cui, and D.S. Reeves Constructing attack scenarios through correlation of intrusion alerts Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C. November 2002 245 254
34. P. Ning, Y. Cui, D.S. Reeves, D. Xu, Towards Automating Intrusion Alert Analysis, in: 2003 Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, September 2003.
35. P. Ning, and D. Xu Learning attack stratagies from intrusion alerts Proceedings of the 10th ACM Conference on Computer and Communications Security October 2003
36. P. Ning, D. Xu, C.G. Healey, R.S. Amant, Building attack scenarios through integration of complementary alert correlation methods, in: 11th Annual Network and Distributed System Security Symposium, February 2004.
37. P. Ning, Y. Cui, D.S. Reeves, and D. Xu Tools and techniques for analyzing intrusion alerts ACM Transactions on Information and System Security 7 2 2004 273 318
38. P. Ning, and D. Xu Hypothesizing and reasoning about attacks missed by intrusion detection systems ACM Transactions on Information and System Security 7 4 2004 591 627 (Pubitemid 40302700)
39. S. Noel, E. Robertson, and S. Jajodia Correlating intrusion events and building attack scenarios through attack graph distances 20th Annual Computer Security Applications Conference (ACSAC'04) 2004 350 359 (Pubitemid 40931090)
40. T. Ozyer, R. Alhajj, and K. Barker Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening Journal of Network and Computer Applications 30 2007 99 113 (Pubitemid 44666485)
41. J. Peng, C. Feng, and J.W. Rozenblit A hybrid intrusion detection and visualization system Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems 2006 505 506 (Pubitemid 46887350)
42. R. Perdisci, G. Giacinto, and F. Roli Alarm clustering for intrusion detection systems in computer networks Engineering Applications of Artificial Intelligence 19 2006 429 438
43. R.D. Pietro, L.V. Mancini, Intrusion detection systems, in: S. Jajodia (Series editor), Handbook of Advances in Information Security, Springer, 2008, ISBN 978-0-387-77265-3, e-ISBN: 978-0-387-77266-0.
44. P.A. Porras, M.W. Fong, and A. Valdes A mission-impact-based approach to INFOSEC alarm correlation Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002) 2002 95 114
45. R. Pushparaj, and S. Bhuvana Cooperative intrusion detection for detecting novel attacks using realtime data mining approach Proceedings of ICSTC 2008 110 125
46. A. Rasoulifard, A.G. Bafghi, M. Kahani, Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers, Advances in Computer Science and Engineering, 13th International CSI Computer Conference, CSICC 2008 Kish Island, Iran, March 9-11, 2008. Revised Selected Papers Series: H. Sarbazi-Azad, B. Parhami, S.-G. Miremadi, S. Hessabi (Eds.), Communications in Computer and Information Science, vol. 6, Springer, 2009, XXI, 1017 pp., ISBN: 978-3-540-89984-6. http://prof.um.ac.ir/ResearchDocuments/papers/1009661.pdf.
47. R. Sadoddin, and A.A. Ghorbani An incremental frequent structure mining framework for real-time alert correlation Computers Security 28 2009 153 173
48. T. Shon, X. Kovah, and J. Moon Applying genetic algorithm for classifying anomalous TCP/IP packets Neurocomputing 69 2006 2429 2433 (Pubitemid 44375533)
49. S. Song, K. Hwang, R. Zhou, and Y.K. Kwok Trusted P2P transactions with fuzzy reputation aggregation IEEE Internet Computing 2005 18 28
50. G.P. Spathoulas, S.K. Katsikas, Reducing false positives in intrusion detection systems, Computer Security, in press.
51. P.G. Teodoro, J.D. Verdejo, G.M. Fernandez, and E. Vazquez Anomaly-based network intrusion detection: techniques, systems and challenges Computers Security 28 2009 18 28
52. X. Tong, Z. Wang, and H. Yu A research using hybrid RBF/Elman neural networks for intrusion detection system secure model Computer Physics Communications 180 2009 1795 1801
53. A.N. Toosi, and M. Kahani A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers Computer Communications 30 2007 2201 2212 (Pubitemid 47094963)
54. C.F. Tsai, C.Y. Lin, A triangle area based nearest neighbors approach to intrusion detection, Pattern Recognition, in press.
55. C.F. Tsai, Y.E. Hsu, C.Y. Lin, W.Y. Lin, Intrusion detection by machine learning: a review, Expert Systems with Applications, in press.
56. A. Valdes, and K. Skinner Probabilistic alert correlation Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001) 2001 54 68 (Pubitemid 33352000)
57. F. Valeur, G. Vigna, C. Kruegel, and R.A. Kemmerer A comprehensive approach to intrusion detection alert correlation IEEE Transactions on Dependable and Secure Computing 1 3 2004
58. S.X. Wu, and W. Banzhaf The use of computational intelligence in intrusion detection systems: a review Applied Soft Computing Journal 10 2010 1 35
59. D. Xu, P. Ning, Alert correlation through triggering events and common resources, in: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 04), December 2004.
60. D. Xu, and P. Ning Privacy-preserving alert correlation: a concept hierarchy based approach Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 05) December 2005
61. D. Xu, P. Ning, A flexible approach to intrusion alert anonymization and correlation, in: Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006), August 2006.
62. D. Xu, P. Ning, Correlation analysis of intrusion alerts, in: R. Di Pietro, L.V. Mancini (Eds.), Intrusion Detection Systems, Advances in Information Security, vol. 38, Springer, 2008, pp. 65-92, ISBN 978-0-387-77265-3.
63. J. Yu, Y.V.R. Reddy, S. Selliah, S. Reddy, V. Bharadwaj, and S. Kankanahalli TRINETR: an architecture for collaborative intrusion detection and knowledge-based alert evaluation Advanced Engineering Informatics 19 2005 93 101 (Pubitemid 41203511)
64. Y. Zhai, P. Ning, P. Iyer, and D.S. Reeves Reasoning about complementary intrusion evidence Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 04) December 2004
65. Y.F. Zhang, Z.Y. Xiong, X.Q. Wang, Distributed intrusion detection based on clustering, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics, Guangzhou, August 2005.
66. C.V. Zhou, C. Leckie, and S. Karunasekera Decentralized multidimensional alert correlation for collaborative intrusion detection Journal of Network and Computer Applications 32 2009 1106 1123
67. C.V. Zhou, C. Leckie, S. Karunasekera, A survey of coordinated attacks and collaborative intrusion detection, Computer Security, pp. 1-17, in press.
68. J. Zhou, M. Heckman, B. Reynolds, A. Carlson, and M. Bishop Modeling network intrusion detection alerts for correlation ACM Transactions on Information and System Security 10 1 2007 Article 4
69. B. Zhu, and A.A. Ghorbani Alert correlation for extracting attack strategies International Journal of Network Security 3 3 2006 244 258
70. U. Zurutuza, and R. Uribeetxeberria Intrusion detection alarm correlation: a survey Proceedings of the IADAT International Conference on Telecommunications and Computer Networks (TCN'04) Donostia, Spain December 2004
71. Intrusion detection message exchange message format (IDMEF), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt, 2005.