Information Technology Reference
In-Depth Information
In this paper, we will focus on the method used to perform alert correlation by
DIDS. However, this correlation component is part of a generic intrusion detection
model shown in Figure 1. The perception phase monitors the computer network and
performs intrusion detection at low level through local IDS, for example, Snort sen-
sor. The correlation component is divided into two phases, the first is the correlation
itself through multiple correlation methods (not just one or a pair) and the second to
integrate the results obtained by different methods above. Finally, the response phase
which aims to act on the network when any attack occurs, reconfiguring a firewall,
closing ports or any other method of active response.
3.1 Performance Measurement
Since we will modify the learning algorithm of the GNG neural network based on the
quality of correlation methods, first, it is necessary to establish a quality measure. The
weighting of each correlation method in the integration process is based on the evalu-
ation of their performance, which is essential in the field of intrusion detection. This
evaluation will focus on measuring the effectiveness of different systems in terms of
its ability to classify or correlate properly. Therefore, we must have a metric to eva-
luate and compare the quality of each correlation methods objectively [15]. Of course,
the quality measure of each method may vary over time depending on its successes
and failures.
Generally, the most frequently used indices are the true positives rate (TP-True
Positive) and the false positives rate (FP-False Positive). TP and FP rates are often
used combined using ROC curves (Receiver Operating Characteristic). In our case,
we use a measure defined in [15] called
intrusion detection capability
(C
ID
), because
its calculation is based on previous rates and this metric is an objective measure that
returns a real value directly comparable.
3.2 Correlation Process
The correlation process has been divided into two phases identified in the general
model of Figure 1: correlation phase and integration phase. The correlation phase in
which low-level alerts generated by local IDS are related by multiple local correlation
methods. We can use any number of different correlation techniques, not just a pair as
in traditional approaches. The output of any correlation method will be an alert in the
standard format for the exchange of information between detection systems called
IDMEF (Intrusion Detection Message Exchange Format) [16].
The second stage is the integration phase which receives as input IDMEF alerts
generated by the correlation methods in the previous phase. The integration will com-
bine these alerts, and scenarios in the highest abstraction level will be obtained. To
perform the integration, we have been used a clustering method, the same idea that
the correlation clustering approach but operating in a higher abstract level.
We have used GNG neural network as integration algorithm due to its clustering
capabilities and its ability to learn new scenarios without retraining the network with
all the above. Input features to the network will be the fields of IDMEF alerts, exam-
ples of these fields are the source IP address of the attack, destination IP address,
Search WWH ::
Custom Search