Alert correlation using artificial immune recognition system

International Journal of Bio-Inspired Computation

Volumn 4, Issue 3, 2012, Pages 181-195

  Bateni, Mehdi ^a   Baraani, Ahmad ^a   Ghorbani, Ali ^b  

^a Faculty of Engineering   (Iran)

^b UNIVERSITY OF NEW BRUNSWICK   (Canada)

Author keywords

AIRS; Alert correlation; Artificial immune recognition system; IDS; Intrusion detection system

Indexed keywords

AIR; COMPUTER CRIME; DATA MINING; GRAPH ALGORITHMS; INTRUSION DETECTION; NETWORK SECURITY;

ALERT CORRELATION; ARTIFICIAL IMMUNE RECOGNITION SYSTEM; ARTIFICIAL IMMUNE SYSTEM; COMPUTATIONAL COSTS; INTRUSION DETECTION SYSTEMS; LEVEL OF ABSTRACTION; SIMPLE ALGORITHM; SYSTEM ADMINISTRATORS;

LEARNING ALGORITHMS;

EID: 84862181192     PISSN: 17580366     EISSN: 17580374     Source Type: Journal    
DOI: 10.1504/IJBIC.2012.047240     Document Type: Article

References (35)

1. Cheung, S., Lindqvist, U. and Fong, M. (2003) 'Modeling multistep cyber attacks for scenario recognition', in DARPA Information Survivability Conference and Exposition, Vol. 1, pp.284-292.
2. Cuppens, F. and Miege, A. (2002) 'Alert correlation in a cooperative intrusion detection framework', Security and Privacy, IEEE Symposium on Security and Privacy.
3. Cuppens, F. and Ortalo, R. (2000) 'Lambda: a language to model a database for detection of attacks', in Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 1907, pp.197-216.
4. Dain, O. and Cunningham, R. (2001) 'Fusing a heterogeneous alert stream into scenarios', in Proceeding of the 2001 ACM Workshop on Data Mining for Security Applications, pp.1-13.
5. De Castro, L. and Von Zuben, F. (2000) 'The clonal selection algorithm with engineering applications', in GECCO 2000, pp.36-39.
6. Eckmann, ST., Vigna, G. and Kemmerer, RA. (2002) 'Statl: an attack language for state-based intrusion detection', J. Comput. Secur., Vol. 10, Nos. 1-2, pp.71-103. (Pubitemid 34531413)
7. Forrest, S., Perelson, A., Allen, L. and Cherukuri, R. (1994) 'Self-nonself discrimination in a computer' in Research in Security and Privacy, Proceedings, 1994 IEEE Computer Society Symposium, pp.202-212.
8. Ghorbani, A., Lu, W. and Tavallaee, M. (2010) Network Intrusion Detection and Prevention, Springer, New York.
9. Greensmith, J., Aickelin, U. and Cayzer, S. (2005) 'Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection', in Artificial Immune Systems, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 3627, pp.153-167. (Pubitemid 41472720)
10. Hall, M. (1999) 'Correlation-based feature selection for machine learning', PhD thesis, University of Waikato.
11. netForensics Honeynet team (2005) 'Honeynet traffic logs', available at http://old.honeynet.org/scans/scan34 (accessed on 1 April 2012).
12. Janeway, C., Travers, P., Walport, M. and Shlomchik, M. (2008) Immunobiology: The Immune System in Health and Disease, Garland Science Publishing, New York.
13. Julisch, K. (2003) 'Clustering intrusion detection alarms to support root cause analysis', ACM Trans. Inform. Syst. Secur, Vol. 6, pp.443-471.
14. MIT Lincoln Laboratory (2000) 'Darpa2000 intrusion detection scenario specific data sets', available at http://www.ll.mit.edu (accessed on 1 April 2012).
15. Maggia, F., Matteucci, M. and Zanero, S. (2009) 'Reducing false positives in anomaly detectors through fuzzy alert aggregation', Inform. Fusion, Vol. 10, No. 4, pp.300-311.
16. Manganaris, S., Christensen, M., Zerkle, D. and Hermiz, K. (2000) 'A data mining analysis of RTID alarms', Comput Network, Vol. 34, No. 4, pp.571-577.
17. Morin, B., Me, L., Debar, H. and Ducasse, M. (2002) 'M2d2: a formal data model for ids alert correlation' in Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, Springer-Verlag, Berlin, Heidelberg, RAID '02, pp.115-137.
18. Morin, B., Me, L., Debar, H. and Ducass, M. (2009) 'A logic-based model to support alert correlation in intrusion detection', Inform. Fusion, Special Issue on Information Fusion in Computer Security, Vol. 10, No. 4, pp.285-299.
19. NCSUCD Lab (2004) 'Tiaa: a toolkit for intrusion alert analysis', available at http://discovery.csc.ncsu.edu/software/correlator/ver0.4/index.html (accessed on 1 April 2012).
20. Ning, P., Cui, Y. and Reeves, DS. (2002) 'Constructing attack scenarios through correlation of intrusion alerts' in Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS '02, pp.245-254.
21. Pietraszek, T. (2004) 'Using adaptive alert classification to reduce false positives in intrusion detection', in Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 3224, pp.102-124. (Pubitemid 39741890)
22. Porras, PA., Fong, MW. and Valdes, A. (2002) 'A mission-impact-based approach to infosec alarm correlation' in Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, Springer-Verlag, Berlin, Heidelberg, RAID '02, pp 95-114.
23. Qin, X. (2005) 'A probabilistic-based framework for infosec alert correlation', PhD thesis, Georgia Institute of Technology.
24. Ren, H., Stakhanova, N. and Ghorbani, A. (2010) 'An online adaptive approach to alert correlation', in Detection of Intrusions and Malware, and Vulnerability Assessment, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 6201, pp.153-172.
25. Sadoddin, R. and Ghorbani, A. (2009) 'An incremental frequent structure mining framework for real-time alert correlation', Comput. Secur, Vol. 28, Nos. 3-4, pp.153-173.
26. Templeton, SJ. and Levitt, K. (2000) 'A requires/provides model for computer attacks', in Proceedings of the 2000 Workshop on New Security Paradigms, NSPW, pp 31-38.
27. Totel, E. and Vivinis, B. (2004) 'A language driven intrusion detection system for event and alert correlation', in Security and Protection in Information Processing Systems, IFIP International Federation for Information Processing, Springer Boston, Vol. 147, pp.208-224.
28. Twycross, J. (2007) 'Integrated innate and adaptive artificial immune systems applied to process anomaly detection', PhD thesis, University of Nottingham.
29. Valdes, A. and Skinner, K. (2001) 'Probabilistic alert correlation', in Recent Advances in Intrusion Detection, Vol. 2212, pp.54-68. (Pubitemid 33352000)
30. Valeur, F., Vigna, G., Kruegel, C. and Kemmerer, R. (2004) 'A comprehensive approach to intrusion detection alert correlation', IEEE Transactions on Dependable and Secure Computing, Vol. 1, pp.146-169.
31. Viinikka, J., Debar, H., Lehikoinen, A. and Tarvainen, M. (2009) 'Processing intrusion detection alert aggregates with time series modeling', Inform Fusion DOI 10.1016/j.inffus.2009.01.003, Special Issue on Information Fusion in Computer Security, Vol. 10, No. 4, pp.312-324.
32. Wang, L., Ghorbani, A. and Li, Y. (2010) 'Automatic multi-step attack pattern discovering', Int. J. Netw. Secur, Vol. 10, No. 2, pp.142-152.
33. Watkins, A., Timmis, J. and Boggess, L. (2004) 'Artificial immune recognition system (airs): an immune-inspired supervised learning algorithm', Genetic Programming and Evolvable Machines, Vol. 5, No. 3, pp.291-317.
34. Watkins, A. (2001) 'Airs: a resource limited artificial immune classifier', Master's thesis, Mississippi State University.
35. Zhu, B. and Ghorbani, A. (2006) 'Alert correlation for extracting attack strategies', Int. J. Netw. Secur, Vol. 3, No. 3, pp.244-258.