Information Technology Reference
In-Depth Information
Table 1.
C
ID
value of the evaluated methods
C
ID
Value
Method
Modified GNG
GNG
AlertSTAT
EMERALD
Pre-Cons
0.8787
0.8158
0.6311
0.2818
0.2100
Moreover, the false positive rate shows that AlertSTAT, GNG and modified GNG
have not errors (there are three overlapping bottom lines). PreCons approach has a
low false positive rate and EMERALD and the integration of pairs of methods have
an excessive number of false positives.
When ROC curves intersect or overlap is difficult to determinate the best method,
in order to compare through a real value the results obtained by different methods, we
have used a measure of quality named C
ID
[15] which is defined as follows:
;⁄
The ratio between the mutual information of input and output (I(X;Y)) and the in-
put entropy (H(X)). Mutual information measures the reduction of uncertainty of the
IDS input by knowing de IDS output, this measure is normalized using the entropy
(the original uncertainty) of the input. Table 1 shows the value of C
ID
obtained by
each of the tested approaches. The modified GNG neural network gets the best value.
5 Conclusion
This work present a method for the correlation of intrusion detection alerts based on
the use of multiple correlation methods and the integration of its results. For this end,
the ANN GNG has been used. The learning algorithm of the GNG network has been
modified so that the best correlation methods weight the final result.
The results show that, the integration of multiple methods improves the perfor-
mance obtained by each of the correlation methods alone. Moreover, the integration
using the modified GNG algorithm has improved the performance of the classic ver-
sion. Although the two versions obtain rates over 90%, in the case of the modified
GNG are close to 100%.
We are currently working in the improvement of the proposed method to achieve
the ability to be proactive, so that the system detects early stages of the attack scena-
rios with some probability. Moreover, we are evaluating new versions of self-
organizing neural networks that open new ways to improve the performance. Finally,
due to lack of real scenarios in the DARPA data set, we are working to validate the
approach in real scenarios randomly generated.
References
1.
Ren, H., Stakhanova, N., Ghorbani, A.: An Online Adaptive Approach to Alert Correla-
tion. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153-172.
Springer, Heidelberg (2010)
Search WWH ::
Custom Search