False Alarm Reduction Using Adaptive Agent-Based Profiling

False Alarm Reduction Using Adaptive Agent-Based Profiling

Salima Hacini (Lire Laboratory, TLSI Department, Constantine2 University, Constantine, Algeria), Zahia Guessoum (LIP6, Pierre et Marie Curie University, Paris, France) and Mohamed Cheikh (Lire Laboratory, TLSI Department, Constantine2 University, Constantine, Algeria)
Copyright: © 2013 |Pages: 22
DOI: 10.4018/ijisp.2013100105


In this paper the authors propose a new efficient anomaly-based intrusion detection mechanism based on multi-agent systems. New networks are particularly vulnerable to intrusion, they are often attacked with intelligent and skilful hacking techniques. The intrusion detection techniques have to deal with two problems: intrusion detection and false alarms. The issue of false alarms has an important impact on the success of the anomaly-based intrusion detection technologies. The purpose of this paper is to improve their accuracy by detecting real attacks and by reducing the number of unnecessary generated alerts. The authors' intrusion detection mechanism relies on a set of agents to ensure the detection and the adaptation of normal profile to support the legitimate dynamic changes that occur and are the cause of high rate of false alarms.
Article Preview


Intrusion Detection Systems (IDSs) were introduced by Anderson (1980). Denning (1987) designed then an intrusion detection model which marked a real impetus of the field. IDSs are essential complements to the preventive security mechanisms provided for computing systems and networks. They are used in the monitoring control process for the detection of potential intrusions and infections (Zanero, 2004).

The IDS research community has developed two categories of solutions: misuse detection and anomaly detection (Axelsson, 2000). The misuse detection defines, in a specific way, the user actions which constitute an abuse. Rules are therefore deduced for the detection of known intrusions. These rules are thus effective at detecting known intrusion attempts. However, they fail to recognize novel attacks (Wang, 2004). Anomaly detection (sometimes referred to as behaviour based) overcomes this limitation of misuse detection by focusing on normal behaviour, rather than attacks. For example, a heuristic analysis enables the generation of an alarm when the number of sessions bound for a given port exceeds a threshold in a preset time interval. This technique can be applied to both human users and software applications or services.

In spite of the noticeable development based on the anomaly techniques, the problem of the high rate of false alarms remains an open issue (Pokrywka, 2008; Khosravifar & Bentahar, 2008; Ohta et al., 2008; Jyothsna et al., 2011; Shruti et al., 2012). False alarms are indeed the main cause of alarm overload. Many recent researches report that false alarms still represent a consequent subset of alarms (Nadiammai et al., 2011; Singh & Gupta, 2012) and several works have shown that the inspection of thousands of alarms per day is infeasible, especially if 99% of them are false positives (Perdisci et al., 2006). In fact, false alarms and identification of new attacks are among the biggest challenges to the effective use of IDSs. Thus, the success of anomaly-based detection systems relies on the development of detection approaches that improve the detection of attacks without misclassifying legitimate behaviour.

The implementation of anomaly-based detection systems requires the setting up of two phases: the training phase which allows the build of a normal profile and the detection phase which enables the detection of all the activities that are out of the so-built normal profile. However, it is not possible to observe, during the training phase, all potential legitimate behaviours and the IDSs have to deal with both dynamic changes and evolution of legitimate behaviour to adapt their diagnosis. So, based on the fact that Anomaly intrusion detection is used to find unknown attacks by using the concept of profiling normal behaviors and that significant false alarm may be caused because it is difficult to obtain a complete set of normal behaviors (Jyothsna, Rama Prasad & Munivara Prasad, 2011), the normal profile must be adaptive.To do so, this paper introduces a new Agent-based Adaptive Intrusion Detection mechanism (named AIDA). The latter relies on adaptation of the normal profile during the detection stage to minimize the number of false alarms and thus, enhances the accuracy of anomaly Intrusion Detection.

Moreover, to reduce the complexity of the current attacks, the proposed approach distributes their detection on a set of entities which cooperate to effectively detect the attacks and to adapt the normal profile when new legitimate activities appear. These entities are designed and implemented by agents; agents are the most suitable solution to the resolution of the problem of network intrusion detection (Boudaoud, 2000; Kannadiga & Zulkernine, 2005; Khosravifar & Bentahar, 2008; Zubair, 2012).

The proposed mechanism is used to study the network traffic and the malformed packets detection.

Complete Article List

Search this Journal:
Open Access Articles
Volume 13: 4 Issues (2019): 1 Released, 3 Forthcoming
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing