The Study On False Alarm Filtration And Attack Scenario Recognition Of Intrusion Detection System

Along with the continuously developing of the network technique, Internet,economy and politics are combining together, therefore the attacks on the network and the computer host are increasing. Attack scenario means the attacker use the bug of target host or network to increase the control of victim host or network and achieve the goal finally. Attack scenario is composed of a sequence of single-step attacks. Most of the existing Intrusion Detection System can only raise alarm on single-step attacks and containing massive false alarms which make it exceptionally difficult for the human to find out the real attack scenario. This thesis identify the real attack scenario by filtrating false alarms and analyze the alarm sequence of snort and present the attack scenario using attack graph.The false alarm filtration and attack scenario recognition in Intrusion Detection System can be treated as sequence labeling problem of classification. Classification is to find the corresponding class given the observation value , the problem can be solved by statistics module. In the classification, find the corresponding sequence given the observation sequence is called sequence labeling. False alarm filtration can by tread as sequence labeling by labeling alarm sequence as a sequence of false alarm and true alarm. The attack scenario recognition can also be treaded as sequence labeling by labeling the filtrated alarm sequence as a sequence of attack steps. This thesis use two kinds of statistics module: Hidden Markov Model and Conditional Random Fields to identify the attack scenario from snort alarm sequence and show the attack scenario outline and detail by graphs.The definition, categorization and evaluation parameter of Intrusion Detection System as well as the message exchange format between different Intrusion Detection System are introduced. The definition of attack scenario was introduced as well as the significance and difficulty of attack scenario recognition. After this, the analogy between sequence labeling and Intrusion Detection System were discussed. Detailed introduction on two statistics models: Hidden Markov Models and Conditional Random Fields, the main difference between these two models are discussed.Base on the theory mentioned above, the false alarm filtration and attack scenarios recognition method base on statistics modules are described. False alarm filtration technique base on statistics modules was brought forward towards the false alarm problem. Two statistics modules Hidden Markov Model and Conditional Random Fields were used in false alarm filtration and described in detail. The attack scenarios recognition and visualization method were described as well as the architecture of attack scenarios recognition.The false alarm filtration use snort alarm sequence as input data, labeling each alarm as false alarm and true alarm. As Hidden Markov Model and Conditional Random Fields are mainly used in sequence labeling problem, the false alarm filtration problem can be solved by these two modules. In the false alarm filtration method base on Hidden Markov Model, the alarm name ID of snort alarm was used as alarm feature and the way of module train was described in detail. In the false alarm filtration method base on Conditional Random Fields feature template was introduced and the affection on module performance of each template are mentioned. In the feature selection aspect, the similitude between two sequent attack's IP addresses as well as alarm name ID were used to increase the performance of filtration.Attack scenario recognition identifies the current attack scenario and labels the attack steps by analyzing filtrated alarm sequence which is a process of likelihood evaluation and sequence labeling, so this problem can be solved by Hidden Markov Models. The difference of training process between this module and the Hidden Markov Model used in false alarm filtration is that this problem use attack steps as hidden state and have to train a module for each attack scenario. Forward algorithm is used in the recognition of attack scenarios, the probability of the appearance of alarm sequence in a Hidden Markov Model is regard as the probability of attack scenario happened at current time. After determine the attack scenario, the corresponding module was used in attack step labeling.Attack scenario visualization module presents the attack scenario by attack graph. Attack scenario graph is composed of two kinds of graphs: attack scenario outline graph and attack scenario detail graph. Attack scenario outline graph shows the successively relations between attack steps while attack scenario detail graph shows the alarms between hosts of each attack step in which nodes represent hosts, lines represent alarms. As the amount of alarms is exceptionally huge, show all these alarms in the graph make it hard to understand by human, the key alarms are select when drawing.In this thesis, many experiments were made using DARPA2000 data set. The attack scenario data were used in generating snort alarm sequence in which alarms are labeled as true or false alarm and attack steps according to DARPA2000 true alarm list. Similar attack scenarios are constructed based on DARPA2000 in order to solve the lack of train data for statistics models. Those data were used in the experiment of false alarm filtration and attack scenario recognition. Three new performance indexes were brought forward base on the well known performance indexes of Intrusion Detection System: FP, TP and FN. These three performance indexes were use in the comparison experiment of Hidden Markov Models and Conditional Random Fields in false alarm filtration problem. More experiments were made in order to find the right way of feature selection and the length of feature window of CRFs. The experiment result shows that Conditional Random Fields using IP address and alarm signature and analyze three serial alarms while labeling is better, false alarm filtration percentage reaches 98.76%. The alarm sequence with false alarm filtrated were used in the experiment of attack scenario recognition and visualization. The result shows that the probability of attack scenario increase calmly and reach to a value close to 1 with the process of attack launching while the attack scenario visualization module can show the main steps of attack scenario and the approximate alarm step. The experiment on the contribution of false alarm filtration in attack scenario recognition was made, showing that false alarm filtration increase the accuracy of attack steps labeling by 4.6%.The main contributions are as follows:1. Attack scenarios were constructed base on DARPA2000 in order to provide the training data for probabilistic models2. Probability modules are used to in false alarm filtration module in order to increase the performance of the recognition of attack scenario. Three new false alarm filtration performance indexes were brought forward.3. Use IP similitude and alarm signature as features to increase the performance of false alarm filtration.4. The contrast experiment between the performance of Hidden Markov Models and Conditional Random Fields on false alarm filtration was carried.5. The contribution of false alarm filtration towards attack scenario recognition was tested.6. The implement of attack scenario visualization.