An Intelligent Intrusion Detection Technique Based On Alarm Association Analysis

Intrusion detection technology is a new-generation security technology after the traditional security technology such as firewall, data encryption, and so on. It is an important part of the P2DR security model, and plays a vital role in the protection of system security. However, in P2DR security model, the relationship between the intrusion detection system (IDS) and the security information/event management (SIEM) is one-way, isolated, and static, which inevitably makes the intrusion detection system with a series of defects, such as hysteresis, high omission rate, high false alarm rate, and massive logs.In order to overcome the above-mentioned shortcomings of IDS, this paper presents an intelligent intrusion detection technology based on association analysis of alarm message. The foundation of this technology is a state-based IDS framework, which transforms the design, representation and implementation of each intrusion detection method into the finite state machine (attack scenario) field. It regards the detecting process as the migration between the different security states in attack scenario. When the system security status is being transferred from the "Safe" state to the "Alarm" state, the IDS will issue an alarm message. The system gathers and stores these alarm messages, and then mines the relationship between them by an association analysis engine. After that, the attack scenario will be dynamically changed with the analysis results, to achieve the purpose of improving detection methods, reducing omission rate / false alarm rate, reducing the number of alarm information, and increasing the quality of alarm information.The main contributions in this paper are as follows:1. Research and build a state-based intrusion detection system (IDS);2. Format alarm messages based on certain standards, then gather and store these alarm messages of IDS;3. Carry on an association analysis of the alarm messages, and then mine the inner relationship between them;4. Design and implement the system, so that the method of intrusion detection can be dynamically changed with the analysis results, through changing the attack scenario.