Download - Academy Publisher
Download - Academy Publisher
Download - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
example, changes and even slight divergence form the<br />
basic part of the flow can be revealed by it.<br />
sponsored by Natural Science Foundation of Hubei<br />
Province under Grant No. 2008CDA021.<br />
REFERENCES<br />
Fig.3 Case 2 for ICMP L3retriever Ping flow: (a) Original alarm flow<br />
series (dotted line) and SSA-reconstructed series (continuous line)<br />
corresponding to normal flow behavior. (b) Residual series defined as<br />
the difference between the original and reconstructed series.<br />
IV. CONCLUSIONS<br />
Network threat identification and evaluation aims to<br />
extract knowledge of current security threat and status<br />
from raw security data. In practice, identifying the<br />
security incidents of true threat from IDS alarms is really<br />
difficult because the amount of alarms is usually<br />
overwhelming and there are a lot of redundant and false<br />
alarms. In this paper we focus processing aggregated<br />
alarm flow in real-time. Using the SSA, we first explore<br />
the intrinsic dimensionality and structure of the timeseries<br />
corresponding to alarm flow. Then we capture the<br />
leading components, which represent the main part of the<br />
flow, to make threat evaluation. Reconstructed signals<br />
enable the administrator to have a real-time view of<br />
security threat situation. In addition, the threat evaluation<br />
can work well in dynamic and non-stationary network<br />
environment. Based on the approach, we do not need to<br />
know the parametric model of the considered time series<br />
and have the ability to autonomously adapt to shifts in the<br />
structure of the alarm flow. We believe that the method<br />
could be used as such, or in complement to other means<br />
of correlation, to monitor alarms. In the next work, we<br />
plan to focus on automatically detecting changes in alarm<br />
flow and further improve our threat evaluation approach.<br />
ACKNOWLEDGMENT<br />
This work is supported by the National Natural Science<br />
Foundation of China under Grant No. 60573120, and by<br />
the National High Technology Research and<br />
Development Program of China (863 Program) under<br />
Grant No. 2007AA01Z420, and by the key project<br />
[1] J. Allen, A. Christie, et al., (2007) State of the Practice of<br />
Intrusion Detection Technologies. Available via Software<br />
Engineering<br />
Institute.<br />
http://www.sei.cmu.edu/publications/documents/99.reports<br />
/99tr028/99tr028abstract.html.<br />
[2] P. Ning, Y. Cui, and D. S. Reeves: Constructing attack<br />
scenarios through correlation of intrusion alerts. In<br />
Proceedings of the 9th ACM Conference on Computer and<br />
Communications Security, Nov 18-22 2002, Washington,<br />
DC, United States, 2002.<br />
[3] P. Ning, Y. Cui, D. S. Reeves, and D. Xu: Techniques and<br />
tools for analyzing intrusion alerts. In: ACM Transactions<br />
on Information and System Security, vol. 7, pp.274, 2004.<br />
[4] W. Lee, S. J. Stolfo, A Framework for Constructing<br />
Features and Models for Intrusion Detection Systems,<br />
ACM Transactions on Information and System Security<br />
3(4) (2000) 227–261<br />
[5] X. Qin and W. Lee. Statistical Causality Analysis of<br />
INFOSEC Alert Data. In Proc. of the RAID’03, Springer–<br />
Verlag, 2003.<br />
[6] F. Cuppens.: Managing alerts in multi-intrusion detection<br />
environment. In: Proceedings 17th annual computer<br />
security applications conference. New Orleans; 2001.<br />
[7] F. Cuppens, A. Miege: Alert correlation in a cooperative<br />
intrusion detection framework. In: Proceedings of the 2002<br />
IEEE symposium on security and privacy; 2002.<br />
[8] K. Julisch and M. Dacier. Mining Intrusion Detection<br />
Alarms for Actionable Knowledge. In Proc. of the<br />
SIGKDD’02, 2002.<br />
[9] C. Kruegel and W. Robertson. Alert verification:<br />
Determining the success of intrusion attempts. In Proc. of<br />
the DIMVA’06, Dortmund, Germany, July 2006.<br />
[10] P. Ammann, D. Wijesekera, and S. Kaushik, Scalable,<br />
Graph-Based Network Vulnerability Analysis, Proceedings<br />
of the 9th ACM Conference on Computer and<br />
Communications Security, New York: ACM Press, 2002,<br />
217–224<br />
[11] R. Ritchey and P. Amman, Using Model Checking to<br />
Analyze Network Vulnerabilities, Proceedings of the 2000<br />
IEEE Symposium on Security and Privacy, pp. 156-165,<br />
2000<br />
[12] A. Gehani, G. Kedem Rheostat: Real-time Risk<br />
Management. In Proceedings of the 7th International<br />
Symposium on Recent Advances in Intrusion Detection,<br />
2004.<br />
[13] A. Arnes, F. Valeur, G.. Vigna., R. A. Kemmerer,Using<br />
Hidden Markov Models to Evaluate the Risk of Intrusions.<br />
in: Proceedings of the International Symposium on the<br />
Recent Advances in Intrusion Detection(RAID 2006):<br />
Springer-Verlag, 2006. 145-164.<br />
[14] N. Nekrutkin, V. Zhigljavsky, 2001. Analysis of Time<br />
Series Structure—SSA and Related Techniques. Chapman<br />
& Hall/CRC, Boca Raton, FL, pp. 13-78.<br />
[15] Vautard, R., Yiou, P., Ghil, M. Singular-spectrum analysis :<br />
a toolkit for short, noisy chaotic signals. Physica D, vol. 58,<br />
pp. 95-126, 1992.<br />
[16] B. Caswell, M. Roesch (2004) Snort: The open source<br />
network intrusion detection system. Available via Snort.<br />
http://www.snort.org/<br />
96