An Efficient Intrusion Alerts Miner for Forensics Readiness in High Speed Networks

An Efficient Intrusion Alerts Miner for Forensics Readiness in High Speed Networks

Aymen Akremi (CES Research Unit, National School of Engineers of Sfax, Sfax, Tunisia), Hassen Sallay (Al Imam Mohammad Ibn Saud Islamic University. (IMSIU), Riyadh, Saudi Arabia) and Mohsen Rouached (College of Computers and Information Technology, Taif University, Taif, Saudi Arabia)
Copyright: © 2014 |Pages: 17
DOI: 10.4018/ijisp.2014010104


Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95%) and accuracy up to (97%). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.
Article Preview


Currently, service oriented applications comprises millions of devices allowing several heterogeneous services to communicate faster and more efficiently. Millions of customers are using Web services for their daily needs such as booking, payments, and funds transfers. These transactions grow exponentially and the data volume considerably increased. This leads to the Big Data notion. Big data as defined by (IBM, 2011) uses three data characteristics: volume, variety and velocity. It means that some point in time, when the volume, variety and velocity of the data are increased, the current techniques and technologies may not be able to handle storage and processing of the data.

In an SOA, the service providers monitor the exchanged data and locate, from security perspectives, the harmful data that attempts to compromise the confidentiality, integrity or availability of their services using several security provisions. An Intrusion Detection System provides the opportunity to consolidate and analyze traffic and detects dangerous data.

The use of data gathered from IDS for forensics purposes has initiated several discussions (Stephenson, 2000; Sommer, 1998; Yuil, 1999). The challenge is how much the IDS can meet and respect legal requirements in terms of integrity and original data preservation when collecting evidences during ongoing attacks. Although IDSs are not designed to collect and protect the integrity of the type of information required to conduct law enforcement investigation(Sommer, 1998), Yuil et al (Yuil, 1999) claimed that IDSs are able to collect enough information during an ongoing attack to profile the attacker. The IDS may help detecting attacks in an early stage and therefore giving the opportunity to improve the readiness of the forensics system. Also, it links attacks to events and gives a deep understanding of the attack type and targeted component which facilitates the suggestion of hypothesis about the suspect and help locate in advance the files and logs to be analyzed. The proposed digital forensics framework for SOA should include a smart log manager system allowing the collection, integration, reduction, and manipulation of the gathered logs from different components and security tools such as IDSs. However, IDSs are known by their tremendous amount of the security alerts due to the high speed alert generation throughput and the increased number of used services which make the forensics management of intrusion detection alerts both compute and memory intensive. Obviously, the high level rate of wrong alerts reduces the performance and efficiency of IDSs which minimizes their capabilities to prevent attacks and make the alert analysis tasks very difficult and time consuming.

In this paper, we focus on the design and implementation of an efficient IDS alert classifier that helps investigators to analyze the gathered data in real or near real time and improve the live forensics readiness to be used by the log management system. More specifically, we propose Alert Miner; a classifier using a new alert classification algorithm based on a frequent pattern outlier detection data mining approach. The rest of this paper is organized as follows. Section 2 discusses the related work about IDS alert classification. Section 3 exposes the IDS alert processing model and the main data mining techniques used in the approach. The proposed algorithm is detailed in Section 4. Section 5 shows the results of our implementation and our performance study. Finally, Section 6 concludes the paper and outlines future directions.

Complete Article List

Search this Journal:
Open Access Articles
Volume 13: 4 Issues (2019): 1 Released, 3 Forthcoming
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing