Article Preview
TopIntroduction
Currently, service oriented applications comprises millions of devices allowing several heterogeneous services to communicate faster and more efficiently. Millions of customers are using Web services for their daily needs such as booking, payments, and funds transfers. These transactions grow exponentially and the data volume considerably increased. This leads to the Big Data notion. Big data as defined by (IBM, 2011) uses three data characteristics: volume, variety and velocity. It means that some point in time, when the volume, variety and velocity of the data are increased, the current techniques and technologies may not be able to handle storage and processing of the data.
In an SOA, the service providers monitor the exchanged data and locate, from security perspectives, the harmful data that attempts to compromise the confidentiality, integrity or availability of their services using several security provisions. An Intrusion Detection System provides the opportunity to consolidate and analyze traffic and detects dangerous data.
The use of data gathered from IDS for forensics purposes has initiated several discussions (Stephenson, 2000; Sommer, 1998; Yuil, 1999). The challenge is how much the IDS can meet and respect legal requirements in terms of integrity and original data preservation when collecting evidences during ongoing attacks. Although IDSs are not designed to collect and protect the integrity of the type of information required to conduct law enforcement investigation(Sommer, 1998), Yuil et al (Yuil, 1999) claimed that IDSs are able to collect enough information during an ongoing attack to profile the attacker. The IDS may help detecting attacks in an early stage and therefore giving the opportunity to improve the readiness of the forensics system. Also, it links attacks to events and gives a deep understanding of the attack type and targeted component which facilitates the suggestion of hypothesis about the suspect and help locate in advance the files and logs to be analyzed. The proposed digital forensics framework for SOA should include a smart log manager system allowing the collection, integration, reduction, and manipulation of the gathered logs from different components and security tools such as IDSs. However, IDSs are known by their tremendous amount of the security alerts due to the high speed alert generation throughput and the increased number of used services which make the forensics management of intrusion detection alerts both compute and memory intensive. Obviously, the high level rate of wrong alerts reduces the performance and efficiency of IDSs which minimizes their capabilities to prevent attacks and make the alert analysis tasks very difficult and time consuming.
In this paper, we focus on the design and implementation of an efficient IDS alert classifier that helps investigators to analyze the gathered data in real or near real time and improve the live forensics readiness to be used by the log management system. More specifically, we propose Alert Miner; a classifier using a new alert classification algorithm based on a frequent pattern outlier detection data mining approach. The rest of this paper is organized as follows. Section 2 discusses the related work about IDS alert classification. Section 3 exposes the IDS alert processing model and the main data mining techniques used in the approach. The proposed algorithm is detailed in Section 4. Section 5 shows the results of our implementation and our performance study. Finally, Section 6 concludes the paper and outlines future directions.