Download - Academy Publisher
Download - Academy Publisher
Download - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ISBN 978-952-5726-09-1 (Print)<br />
Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10)<br />
Jinggangshan, P. R. China, 2-4, April. 2010, pp. 093-096<br />
An Alarm Flow Decomposition Method for<br />
Security Threat Evaluation<br />
Jie Ma, and Zhitang Li<br />
Computer Science Department,<br />
Huazhong University of Science and Technology, Hubei Wuhan, China<br />
mjhust@163.com<br />
Abstract—How to analyze security alarms automatically and<br />
find useful information form them has attract a lot of<br />
interests. Although many alarm correlation approaches and<br />
risk assessment methods have been proposed, most of them<br />
were implemented with high computational complexity and<br />
time consuming, and they can not deal well with huge<br />
number of security alarms. This work focus on performing<br />
an real-time security threat evaluation. We aggregate<br />
individual alarms to alarm flows, and then process the flows<br />
instead of individual alarms. Using the Singular Spectrum<br />
Analysis (SSA) approach, we found that the alarm flow has<br />
a small intrinsic dimension, and the alarm flow can be<br />
decomposed into leading components and residual<br />
components. Leading components represent the basic part<br />
and residual components represent the noise part of the flow.<br />
To capture the main features of the leading components<br />
forming the alarm flow, we accomplish the security threat<br />
evaluation. Case based experiments real network data<br />
shows the effectiveness of the method. To the best of our<br />
knowledge, this is the first study that applies SSA on the<br />
analysis of IDS alarm flows.<br />
Index Terms—alarm flow, threat evaluation, SSA<br />
I. INTRODUCTION<br />
Internet has become a mission-critical infrastructure<br />
for governments, companies, institutions, and millions of<br />
every-day users. Because of this significant increase<br />
reliance on the Internet–based services, security and<br />
survivability of networks has become a primary concern.<br />
Intrusion Detection System (IDS) plays a vital role in the<br />
overall security infrastructure, as one last defense against<br />
attacks after secure network architecture design, secure<br />
program design and firewalls [1]. It gathers information<br />
form some key points in the computer networks, properly<br />
analyzes it and detect violations of the monitored<br />
system’s security policy. so as to extend the security<br />
management capability of the system administrators and<br />
improve the integrity of information security<br />
infrastructure.<br />
However, IDS are becoming unable to provide proper<br />
analysis and effective defense mechanism. They often<br />
report a massive number of elementary alarms of lowlevel<br />
security-related events. Since be overwhelmed by<br />
these alarms, administrators almost unable to make<br />
proper security threat evaluations in real-time. For this<br />
reason, some alarm correlation approaches were proposed.<br />
Ning et al. developed a an intrusion alarm correlator [2][3]<br />
to help human analysts to recognize multi-step attacks.<br />
Lee et al. [4][5] built a framework based on data mining<br />
techniques, such as sequential patterns mining and<br />
episodes rules, to search causal relationships between<br />
alarms to improve attack detection while maintaining a<br />
low false positive rate. Cuppens [6][7] build alert<br />
correlation systems based on matching the pre/postconditions<br />
of individual alarms. The idea of the approach<br />
is that prior attack steps prepare for later ones. Julisch<br />
proposed to find alarm clusters and generalized forms of<br />
false alarms to identify root causes [8][9], and those<br />
alarms which are not possible attributed to the root causes<br />
can be filtered out. Although these correlation approaches<br />
enable to improve the alarm handling efficiency from<br />
micro prospective, they are hard to work well with<br />
massive security alarms and with large-scale network<br />
environment.<br />
Recently, some online security threat evaluation and<br />
risk assessment methods have been developed. There are<br />
approaches employing a graph-based representation of<br />
systems [10][11], where an integrated, topological<br />
approach to network vulnerability analysis is used. But,<br />
these approaches usually follow a static procedure and<br />
cannot meet the changes in a dynamic network<br />
environment. Gehani [12] put forward a host-based<br />
method for real-time risk assessment. The model<br />
evaluates the threat probability from intrusion reports and<br />
uses predetermined attack scenarios to calculate the risk.<br />
Arnes [13] uses the Hidden Markov Model to compute<br />
the probability of the security status of the system based<br />
on observations from reporting of intrusion detection<br />
sensors. However, there are several limitations faced by<br />
these approaches. Since the high computational<br />
complexity and time cost, these approaches are still can<br />
not deal well with huge number of security alarms. In<br />
addition, the models used in these approaches should be<br />
retrained to adapt to new knowledge. Hence, it seems to<br />
be inefficient in reducing the human workload.<br />
The focus of our work is to perform the security threat<br />
evaluation in real-time. Since IDS have the ability to<br />
perform online attack detection and can dynamically<br />
report security incidents which the network is suffering,<br />
we chose IDS alarms as our processing objects and use<br />
them to make threat evaluations. Different form the<br />
approaches mentioned above, we use aggregated alarm<br />
flows instead of individual alarms. We model the alarm<br />
flow as a time series, which is a sequence of alarm<br />
intensity observations i.e. the number of alarms in a<br />
sampling interval as a time series. Only alarms generated<br />
by the same IDS and with the same signature can be<br />
© 2010 ACADEMY PUBLISHER<br />
AP-PROC-CS-10CN006<br />
93