Authors: Nadjah Chergui, Narhimene Boustia

Abstract:

Intrusion Detection Systems are an essential tool for network security infrastructure. However, IDSs have a serious problem which is the generating of massive number of alerts, most of them are false positive ones which can hide true alerts and make the analyst confused to analyze the right alerts for report the true attacks. The purpose behind this paper is to present a formalism model to perform correlation engine by the reduction of false positive alerts basing on vulnerability contextual information. For that, we propose a formalism model based on non-monotonic JClassicδє description logic augmented with a default (δ) and an exception (є) operator that allows a dynamic inference according to contextual information.

Keywords: Context, exception, default, IDS, Non-monotonic Description Logic JClassicδє, vulnerability.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1112091

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1379

References:

[1] S. Axelsson, “Intrusion detection systems: A survey and taxonomy,” Technical report Chalmers University of Technology, Goteborg, Sweden, Tech. Rep., 2000.
[2] T. H. Nguyen, J. Luo, and H. W. Njogu, “Improving the management of ids alerts,” International Journal of Security and Its Applications, vol. 8, no. 3, pp. 393–406, 2014.
[3] G. J. Victor, M. S. Rao, and V. C. Venkaiah, “Intrusion detection systems-analysis and containment of false positives alerts,” Int. J. Comput. Appl, vol. 5, no. 8, pp. 27–33, 2010.
[4] G. C. Tjhai, M. Papadaki, S. Furnell, and N. L. Clarke, “Investigating the problem of ids false alarms: An experimental study using snort,” in Proceedings of the IFIP TC 11 23rd International Information Security Conference. Springer, 2008, pp. 253–267.
[5] S. Benferhat, T. Kenaza, and A. Mokhtari, “A naive bayes approach for detecting coordinated attacks,” in Computer Software and Applications, 2008. COMPSAC’08. 32nd Annual IEEE International. IEEE, 2008, pp. 704–709.
[6] P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack scenarios through correlation of intrusion alerts,” in Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 245–254.
[7] H. Debar and A. Wespi, “Aggregation and correlation of intrusion-detection alerts,” in Recent Advances in Intrusion Detection. Springer, 2001, pp. 85–103.
[8] A. B. Mohamed, N. B. Idris, and B. Shanmugum, “Alert correlation using a novel clustering approach,” in Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012, pp. 720–725.
[9] A. Valdes and K. Skinner, “Probabilistic alert correlation,” in Recent advances in intrusion detection. Springer, 2001, pp. 54–68.
[10] B. Morin, L. M´e, H. Debar, and M. Ducass´e, “A logic-based model to support alert correlation in intrusion detection,” Information Fusion, vol. 10, no. 4, pp. 285–299, 2009.
[11] F. Massicotte, M. Couture, Y. Labiche, and L. Briand, “Context-based intrusion detection using snort, nessus and bugtraq databases.” in PST, 2005.
[12] A. Sadighian, S. T. Zargar, J. M. Fernandez, and A. Lemay, “Semantic-based context-aware alert fusion for distributed intrusion detection systems,” in Risks and Security of Internet and Systems (CRiSIS), 2013 International Conference on. IEEE, 2013, pp. 1–6.
[13] S. Yahi, S. Benferhat, and T. Kenaza, “Conflicts handling in cooperative intrusion detection: A description logic approach,” in Tools with Artificial Intelligence (ICTAI), 2010 22nd IEEE International Conference on, vol. 2. IEEE, 2010, pp. 360–362.
[14] A. Sadighian, J. M. Fernandez, A. Lemay, and S. T. Zargar, “Ontids: A highly flexible context-aware and ontology-based alert correlation framework,” in Foundations and Practice of Security. Springer, 2014, pp. 161–177.
[15] R. Gula, “Correlating ids alerts with vulnerability information,” Tenable Network Security, Revision 4, Tech. Rep., 2011.
[16] J. A. Wang and M. Guo, “Ovm: an ontology for vulnerability management,” in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. ACM, 2009, p. 34.
[17] N. Boustia and A. Mokhtari, “A dynamic access control model,” Applied Intelligence, vol. 36, no. 1, pp. 190–207, 2012.
[18] F. Coupey and C. Fouquer, “Extending conceptual definitions with default knowledge,” Computational Intelligence, vol. 13, no. 2, pp. 401–456, 1997.
[19] F. Baader, The description logic handbook: Theory, implementation and applications. Cambridge university press, 2003.
[20] P. Coupey and C. Fouquer´e, “Extending conceptual definitions with default knowledge,” Computational Intelligence, vol. 13, no. 2, pp. 258–299, 1997.
[21] R. J. Brachman, D. L. McGuinness, P. F. Patel-Schneider, L. A. Resnick, and A. Borgida, “Living with classic: When and how to use a kl-one-like language,” Principles of semantic networks, vol. 401456, 1991.
[22] F. Cuppens and A. Miege, “Alert correlation in a cooperative intrusion detection framework,” in Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE, 2002, pp. 202–215.
[23] F. Cuppens, “Managing alerts in a multi-intrusion detection environment,” in acsac. IEEE, 2001, p. 0022.
[24] K. Tabia, S. Benferhat, P. Leray, and L. M´e, “Alert correlation in intrusion detection: Combining ai-based approaches for exploiting security operators’ knowledge and preferences,” in Security and Artificial Intelligence (SecArt), 2011, p. NC.
[25] S. Benferhat and K. Sedki, “A preference logic-based approach for alert correlation,” Logics in Security, p. 20, 2010.
[26] L. Bouzar-Benlabiod, S. Benferhat, and T. Boubana-Tebibel, “Integrating security operator knowledge and preferences to the alert correlation process,” in Machine and Web Intelligence (ICMWI), 2010 International Conference on, Oct 2010, pp. 416–420.