Neminath Hubballi

Review: False alarm minimization techniques in signature-based intrusion detection systems: A survey

A network based Intrusion Detection System (IDS) gathers and analyzes network packets and report possible low level security violations to a system administrator. In a large network setup, these low level and partial reports become unmanageable to the administrator resulting in some unattended events. Further it is known that state of the art IDS generate many false alarms. There are techniques proposed in IDS literature to minimize false alarms, many of which are widely used in practice in commercial Security Information and Event Management (SIEM) tools. In this paper, we review existing false alarm minimization techniques in signature-based Network Intrusion Detection System (NIDS). We give a taxonomy of false alarm minimization techniques in signature-based IDS and present the pros and cons of each class. We also study few of the prominent commercial SIEM tools which have implemented these techniques along with their performance. Finally, we conclude with some directions to the future research.

Network specific false alarm reduction in intrusion detection system

Intrusion Detection Systems (IDSs) are used to find the security violations in computer networks. Usually IDSs produce a vast number of alarms that include a large percentage of false alarms. One of the main reason for such false alarm generation is that, in most cases IDSs are run with default set of signatures. In this paper, a scheme for network specific false alarm reduction in IDS is proposed. A threat profile of the network is created and IDS generated alarms are correlated using neural network. Experiments conducted in a test bed have successfully filtered out most of the false alarms for a range of attacks yet maintaining the Detection Rate. Copyright

LAN attack detection using Discrete Event Systems

Address Resolution Protocol (ARP) is used for determining the link layer or Medium Access Control (MAC) address of a network host, given its Internet Layer (IP) or Network Layer address. ARP is a stateless protocol and any IP-MAC pairing sent by a host is accepted without verification. This weakness in the ARP may be exploited by malicious hosts in a Local Area Network (LAN) by spoofing IP-MAC pairs. Several schemes have been proposed in the literature to circumvent these attacks; however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose a Discrete Event System (DES) approach for Intrusion Detection System (IDS) for LAN specific attacks which do not require any extra constraint like static IP-MAC, changing the ARP etc. A DES model is built for the LAN under both a normal and compromised (i.e., spoofed request/response) situation based on the sequences of ARP related packets. Sequences of ARP events in normal and spoofed scenarios are similar thereby rendering the same DES models for both the cases. To create different ARP events under normal and spoofed conditions the proposed technique uses active ARP probing. However, this probing adds extra ARP traffic in the LAN. Following that a DES detector is built to determine from observed ARP related events, whether the LAN is operating under a normal or compromised situation. The scheme also minimizes extra ARP traffic by probing the source IP-MAC pair of only those ARP packets which are yet to be determined as genuine/spoofed by the detector. Also, spoofed IP-MAC pairs determined by the detector are stored in tables to detect other LAN attacks triggered by spoofing namely, man-in-the-middle (MiTM), denial of service etc. The scheme is successfully validated in a test bed.

A host based DES approach for detecting ARP spoofing

Address Resolution Protocol (ARP) based attacks are caused by compromised hosts in the LAN and mainly involve spoofing with falsified IP-MAC pairs. Since ARP is a stateless protocol such attacks are possible. Neither there are signatures available for these attacks nor any significant statistical behavior change can be observed. So existing signature or anomaly intrusion detection systems are unable to detect these type of attacks. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, violate network layering architecture etc. In this paper a host based Discrete Event System (DES) approach is proposed for detecting ARP spoofing attacks. This approach does not require any extra constraint like static IP-MAC, changing the ARP or violation of network layering architecture.

Layered Higher Order N-grams for Hardening Payload Based Anomaly Intrusion Detection

Application based intrusion detection involves analysis of network packet payload data. Recently statistical methods for analyzing the payload are being used. Since behavior of every application is not same a different model is necessary for each application. Studies have revealed that higher order n-grams are good for capturing the network profile. In this paper we introduce a concept of layered version of n-gram for payload based anomaly network intrusion detection. Each layer works as an independent anomaly detection system. A packet is declared as normal after passing through all the layers. A packet is declared as anomalous if at any layer it is declared as anomalous and we stop further processing the packet. We create a set of bins and equally distribute the distinct n-grams to each bin. Each such n-gram is a 2 tulle where the first element is byte values of the n-gram and second is the frequency of gram in the entire training data. We assign an anomaly score to each bin based on the frequency of the individual gram in the bin and is termed as coverage of the bin.We evaluate the proposed scheme on normal traffic of DARLA 99 dataset mixed with a set of attacks. Experimental results shows the efficacy of the method with a false alarm rate as low as 0.001\%.

Distance based fast hierarchical clustering method for large datasets

Average-link (AL) is a distance based hierarchical clustering method, which is not sensitive to the noisy patterns. However, like all hierarchical clustering methods AL also needs to scan the dataset many times. AL has time and space complexity of O(n2), where n is the size of the dataset. These prohibit the use of AL for large datasets. In this paper, we have proposed a distance based hierarchical clustering method termed l-AL which speeds up the classical AL method in any metric (vector or non-vector) space. In this scheme, first leaders clustering method is applied to the dataset to derive a set of leaders and subsequently AL clustering is applied to the leaders. To speed-up the leaders clustering method, reduction in distance computations is also proposed in this paper. Experimental results confirm that the l-AL method is considerably faster than the classical AL method yet keeping clustering results at par with the classical AL method.

Sequencegram: n-gram modeling of system calls for program based anomaly detection

Our contribution in this paper is two fold. First we provide preliminary investigation results establishing program based anomaly detection is effective if short system call sequences are modeled along with their occurrence frequency. Second as a consequence of this, built normal program model can tolerate some level of contamination in the training dataset. We describe an experimental system Sequencegram, designed to validate the contributions. Sequencegram model short sequences of system calls in the form of n-grams and store in a tree (for the space efficiency) called as n-gram-tree. A score known as anomaly score is associated with every short sequence (based on its occurrence frequency) which represents the probability of short sequence being anomalous. As it is generally assumed that, there is a skewed distribution of normal and abnormal sequences, more frequently occurring sequences are given lower anomaly score and vice versa. Individual n-gram anomaly score contribute to the anomaly score of a program trace.

Towards reducing false alarms in network intrusion detection systems with data summarization technique

Anomaly based intrusion detection systems (IDSs) create a benign behavior profile of the network, and any deviation from this profile is considered as an attack. Many of the algorithms proposed in the literature for anomaly IDS fall into cluster analysis category. As networks become faster in operation, the amount of data that needs to be analyzed becomes huge. Many clustering techniques require more than one pass on the dataset; thus, when used as anomaly IDSs, these algorithms becomes computationally expensive and cannot work for such high-speed networks. To handle voluminous data, anomaly IDS schemes have been proposed that use data summarization techniques. Data summarization techniques found in the literature suffer from false alarms due to improper clustering when used as anomaly IDS. In this paper, an anomaly IDS is proposed that is capable of handling large dataset yet minimizing false alarms. Copyright

An Active Host-Based Detection Mechanism for ARP-Related Attacks

Most of the LAN based-attacks involves the spoofing of the victim host with falsified IP-MAC pairs. MAC Spoofing is possible because of the stateless nature of the Address Resolution Protocol (ARP), which is responsible for resolving IP Addresses to MAC Addresses. Several mechanisms have been proposed to detect and mitigate ARP spoofing attempts both at the network level and at the host level, but each of them have their own drawback. In this paper we propose a Host-based Intrusion Detection system for LAN attacks which work without any extra constraint like static IP-MAC, modifying ARP etc. The scheme is successfully validated in a test bed with various attack scenarios and the results show the effectiveness of the proposed technique.

An active intrusion detection system for LAN specific attacks

Local Area Network (LAN) based attacks are due to compromised hosts in the network and mainly involve spoofing with falsified IP-MAC pairs. Since Address Resolution Protocol (ARP) is a stateless protocol such attacks are possible. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose an Intrusion Detection System (IDS) for LAN specific attacks without any extra constraint like static IP-MAC, changing the ARP etc. The proposed IDS is an active detection mechanism where every pair of IP-MAC are validated by a probing technique. The scheme is successfully validated in a test bed and results also illustrate that the proposed technique minimally adds to the network traffic.