Research And Improvement Of The Toolkit Of Correlating And Analyzing Alerts

Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs) are usually considered the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional IDSs have two major weaknesses. First, they usually focus on low-level attacks or anomalies, and raise alerts independently, though the re may be logical connections between them. Second, there are a lot of false alerts reported by traditional IDSs, which are mixed with true alerts. We propose a technique to correlate the alerts by using their prerequisites and consequences in order to solve the problem. The method using prerequisites and consequences has three advantages: 1) provide a higher level scenarios of correlated alerts and implicate the structure of the attack.2) It can reduce the rate of producing false alerts after the attention is focused on alerts that are correlated with others.3) while someone is attacking, it can preview the attacking and prevent the attacking by IDS.We propose a framework of correlating alerts, which contains four parts: prerequisite and consequence of attacks, hyper-alert type and hyper- -alert, hyper-alert correlation graph, utilities for interactively analyzing alerts. Predicates are the basic constructs to represent prerequisites and consequences of attacks. For example, a scanning attack may discover UDP services vulnerable to a certain buffer overflow attack. We can use the predicate UDPVulnerableToBOF (VictimIP, VictimPort) to represent the attacker's discovery. Similarly, if an attack requires a UDP service vulnerable to the buffer overflow attack, we can use the same predicate to represent the prerequisite. A hyper-alert type T is a triple (fact, prerequi- -site, consequence), where (1) fact is a set of attribute names, each with an associated domain of values, (2) prerequisite is a logical combination of predicates whose free variables are all in fact, and (3) consequence is a set of predicates such that all the free variables in consequence are in fact. The hyper-alert correlation graph is not only an intuitive representation of attack scenarios constructed through alert correlation, but also reveals opportunities to improve intrusion detection. First, the hyper-alert corre lation graph can potentially reveal the intrusion strategies behind the attacks, and lead to better understanding of the attacker's intention. Second, assuming some attackers exhibit patterns in their strategies, we can use the hyper-alert correlation graph to profile previous attacks and identify on-going attacks by matching to the profiles. A partial match to the profile may indicate attacks possibly missed by the IDSs, and lead to human investigation and improvement of the IDSs. Utilities can help analysts get as much information as possible and make the best judgment. These utilities are then integrated into one system (which we will present in the next section), which provides human analysts platform to examine correlated intrusion alerts interactively and progressively. TIAA is an off-line toolkit for analyzing the alerts of IDS. TIAA contains three Subsystems: Alert Collection Subsystem, Alert Correlation Subsystem, and Interactive Alert Analysis Subsystem. TIAA is implemented in Java, with JDBC to access the database. To save development effort, TIAA uses the GraphViz package as the visualization engine to generate the graphical representation of the analysis results. TIAA relies on a knowledge base for prior knowledge about different types of alerts as well as implication relationships between predicates. Because of the need for human analysts to write and possibly revise the knowledge base, the knowledge base is represented in an XML format. TIAA uses the Apache Xerces2 Java Parser [Xer ] to facilitate the manipulation of the knowledge base.Data mining is widely used in kinds of area. In the research of IDS, Data mining is also a very important subject. We improve the method of close frequent pattern to mining the data of alerts generated by IDS. It can reduce the misuse alerts of IDS.This paper analysis the reason of the high rate of false alerts, presents the framework of alert collection and other related knowledge. This paper introduce the utilities of alert collection particularly, and the way of using and installing TIAA. This paper also presents a method of data mining which called close frequent pattern method to improve the function of TIAA.