Information Technology Reference
In-Depth Information
4
Experiment and Discussion
The algorithm is implemented on a modularized correlation platform which is designed
based on in-memory techniques and a multi-core hardware [6]. For testing the correla-
tion algorithm, we created a data set of IDMEF alerts by running a Snort[23] sensor in
our university network. The sensor gathered
days of runtime. Mean-
while, we had a Snort sensor running in several vulnerable subnets of our university
network which include several vulnerable hosts. The AG for this subnet is constructed
accordingly. We performed a multi-step attack covering multiple hosts in the existing
subnets. This provides us with a set of alerts we consider as attack trace in the follow-
ing work. By injecting this attack trace into the clean data set of the whole university
network, we can simulate alert sets without running the real attacks over the production
network of our university. The attack is done by compromising
43485
alerts in
6
5
hosts in the vulnerable
network spread over
4
subnets. We conducted multiple experiments using the data set
and the attack trace.
For this set of experiments, we injected one attack trace into the clean data set to test
if it can be found in a real set of alerts. Furthermore, we analyzed selected parameters
of the algorithm and their influence on the actual result, such as the match mode, the
aggregation threshold, the dependency build mode, and the searching algorithm for
alert subsets. We fixed the parameters for defining dependencies between alerts and
searching for suspicious subsets of alerts. A dependency between two alerts is defined
by
E
a,
1
using
Ψ
1
, i.e., alerts that are mapped to adjacent nodes fulfilling the timing
constraint are dependent. The dependency graph
DG
is used to find all
the shortest paths by performing a Floyd-Warshall algorithm and defining the diameter.
As shown in Table 1, the match modes using the CVE[10] as criteria work precisely
and can identify attacks that follow the AG.
With the alert set from our experiment, this match mode filters about
=(
D
a
,E
a,
1
)
of the
alerts. The match modes that ignore CVE and are based on the source and destination
address are less accurate in terms of the vulnerability used. In our experiments it still
showed a filtering rate of
99
.
98%
95
.
58%
. The advantage of this match mode is that an attacker
can use different vulnerabilities to compromise a host covered in the AG and can still be
recognized by the correlation. In the CVE based matching, there is only one suspicious
alert set found, basically the one which is supposed to be found. The matching without
CVE identifies much more suspicious alert sets. By looking at these alert sets, we rec-
ognized that most of the alert sets are using similar alerts and that the high number of
the alert sets is due to the fact that there are two hosts which seem to be frequently used
and that the Snort sensor produces more false positives for them. To improve it, we can
Ta b l e 1 .
Experiment results - match modes with fixed aggregation threshold of 2s
Matched alerts % filtered Suspicious alert sets
cvesrcdst
5
99.99
1
cvedst
5
99.99
1
cve
8
99.98
1
srcdst
1836
95.78
1010
dst
1923
95.58
1010
Search WWH ::
Custom Search