DATA STREAMING ALERT INTRUSION DETECTION

ABSTRACT:
Alert aggregation is an important subtask of intrusion detection. The goal is to identify
and to cluster different alertsproduced by low-level intrusion detection systems,
firewalls, etc.belonging to a specific attack instance which has been initiated by an
attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that
contain all the relevant information whereas the amount of data (i.e., alerts) can be
reduced substantially. eta-alerts may then be the basis for reporting to security e!perts
or for communication within a distributed intrusion detection system. "e propose a novel
techni#ue for online alert aggregation which is based on a dynamic, probabilistic model
of the current attack situation. $asically, it can be regarded as a data stream version of a
ma!imum likelihood approach for the estimation of the model parameters. "ith three
benchmark data sets, we demonstrate that it is possible to achieve reduction rates of up to
%%.%& percent while the number of missing meta-alerts is e!tremely low. 'n addition,
meta-alerts are generated with a delay of typically only a few seconds after observing the
first alert belonging to a new attack instance.
OUR CONTRIBUTION:
The Authors proposed methods on many 'ntrusion Alerts. As our contribution, we make
the system more efficient in identify the intrusion alerts and also we e!tend this work by
sending the Alerts as essage to the (etwork Administrator who governs the (etwork or
'ntrusion )etection *ystem.
EXISTING SYSTEM
ost e!isting ')* are optimi+ed to detect attacks with high accuracy. ,owever,
they still have various disadvantages that have been outlined in a number of
publications and a lot of work has been done to analy+e ')* in order to direct
future research.
$esides others, one drawback is the large amount of alerts produced.
Alerts can be given only in *ystem logs.
-!isting ')* does not have general framework which cannot be customi+ed by
adding domain specific knowledge as per the specific re#uirements of the users or
network administrators.
PROPOSED SYSTEM
.nline 'ntrusion Alert Aggregation with /enerative )ata *tream odeling is a
generative modeling approach using probabilistic methods. Assuming that attack
instances can be regarded as random processes 0producing1 alerts, we aim at
modeling these processes using appro!imative ma!imum likelihood parameter
estimation techni#ues. Thus, the beginning as well as the completion of attack
instances can be detected.
't is a data stream approach, i.e., each observed alert is processed only a few
times. Thus, it can be applied online and under harsh timing constraints.
'n the proposed scheme of .nline 'ntrusion Alert Aggregation with /enerative
)ata *tream odeling, we e!tend our idea of sending 'ntrusion alerts to the
mobile. This makes the process easier and comfortable.
.nline 'ntrusion Alert Aggregation with /enerative )ata *tream odeling does
not degrade system performance as individual layers are independent and are
trained with only a small number of features, thereby, resulting in an efficient
system.
.nline 'ntrusion Alert Aggregation with /enerative )ata *tream odeling is
easily customi+able and the number of layers can be ad2usted depending upon the
re#uirements of the target network. .ur framework is not restrictive in using a
single method to detect attacks. )ifferent methods can be seamlessly integrated in
our framework to build effective intrusion detectors.
.ur framework has the advantage that the type of attack can be inferred directly
from the layer at which it is detected. As a result, specific intrusion response
mechanisms can be activated for different attacks.
HARDWARE REQUIREMENTS
3 *4*T- 5 6entium '7 8.9 /,+
3 ,A:) )'*; 5 9< /$
3 .('T.: 5 => 7/A colour
3 .?*- 5 @ogitech.
3 :A 5 8>& $
3 ;-4$.A:) 5 ==< keys enhanced.
SOFTWARE REQUIREMENTS
3 .perating system 5 "indows A6 6rofessional
3 Bront -nd 5 CA7A, :', C)$D, *wing
3 Tool 5 -clipse E.E
MODULES
Server
Client
DARPA DtSet
M!"ile
Att#$ Si%&lti!n
Server
*erver module is the main module for this pro2ect. This module acts as the
'ntrusion )etection *ystem. This module consists of four layers vi+. sensor layer (which
detects the userFclient etc.), )etection layer, alert processing layer and reaction layer. 'n
addition there is also essage @og, where all the alerts and messages are stored for the
references. This essage @og can also be saved as @og file for future references for any
network environment.
Client
Dlient module is developed for testing the 'ntrusion )etection *ystem. 'n this
module the client can enter only with a valid user name and password. 'f an intruder
enters with any guessing passwords then the alert is given to the *erver and the intruder is
also blocked. -ven if the valid user enters the correct user name and password, the user
can use only for minimum number of times. Bor e!ample even if the valid user makes the
login for repeated number of times, the client will be blocked and the alert is sent to the
admin. 'n the process level intrusion, each client would have given a specific process
only. Bor e!ample, a client may have given permission only for 6=process. 'f the client
tries to make more then these processes the client will be blocked and the alert is given
by the 'ntrusion )etection *ystem. 'n this client module the client can be able to send
data. ,ere, when ever data is sent 'ntrusion )etection *ystem checks for the file. 'f the
si+e of the file is large then it is restricted or else the data is sent.
DARPA Dt'et
This module is integrated in the *erver module. This is an offline type of testing
the intrusions. 'n this module, the )A:6A )ata *et is used to check the techni#ue of the
.nline 'ntrusion Alert Aggregation with /enerative )ata *tream odeling. The )A:6A
data set is downloaded and separated according to each layers. *o we test the instance of
)A:6A )ataset using the open file dialog bo!. "henever the dataset is chosen based on
the conditions specified the 'ntrusion )etection *ystem works.
M!"ile
This module is developed using C8-. The traditional system uses the message
log for storing the alerts. 'n this system, the system admin or user can get the alerts in
their mobile. "henever alert message received in the message log of the server, the
mobile too receives the alert message.
Att#$ Si%&lti!n
'n this module, the attack simulation is made for ourself to test the system.
Attacks are classified and made to simulate here. "henever an attack is launched the
'ntrusion )etection *ystem must be capable of detecting it. *o our system will also be
capable of detecting such attacks. Bor e!ample if an '6 trace attack is launched, the
'ntrusion )etection *ystem must detect it and must kill or block the process.
ALGORITHM FOR THE PROPOSED IDS
ALERT AGGREGATION ALGORITHM:
*tep =5 *elect the GnH layers needed for the whole ')*.
*tep 85 $uild *ensor @ayer to detect (etwork and ,ost *ystems.
*tep E5 $uild )etection @ayer based on isuse and Anomaly detection techni#ue.
*tep 95 Dlassify various types of alerts. (Bor e!ample alert for *ystem level intrusion or
process level intrusion)
*tep >5 Dode the system for detecting various types of attacks and alerts for respective
attacks.
*tep &5 'ntegrate the system with obile device to get alerts from the proposed ')*.
*tep I5 *pecify each type of alert on which category it falls, so that user can easily
recogni+e the attack type.
*tep J5 $uild :eaction layer with various options so that administratorFuser can have
various options to select or react on any type of intrusion.
*tep %5 Test the system using Attack *imulation module, by sending different attacks to
the proposed ')*.
*tep =<5 $uild a log file, so that all the reports generated can be saved for future
references.
SYSTEM DESIGN
Dt Fl!( Di)r% * U'e C'e Di)r% * Fl!( Di)r%
The )B) is also called as bubble chart. 't is a simple graphical
formalism that can be used to represent a system in terms of the input data to
the system, various processing carried out on these data, and the output data
is generated by the system.
Dt Fl!( Di)r%
DFD Level 0:
DFD Level 1:
DFD Level 2:
Usecase Diagram:
Sequence Diagram:

D.(D@?*'.(
'n this pro2ect, we presented a novel techni#ue for online alert
aggregation. "e also addressed the problem of accuracy and
efficiency of 'ntrusion )etection *ystem. "e developed the
presented architecture and tested the system with the misuse based
anomaly detection techni#ue. "e also proposed a misuse based
anomaly detection algorithm for our system. As our contribution,
we make the system more efficient in identify the intrusion alerts
and also we e!tend this work by sending the Alerts as essage to
the (etwork Administrator who governs the (etwork or 'ntrusion
)etection *ystem. ost of the present e!isting 'ntrusion )etection
*ystem does not have a generali+ed framework. .ur proposed
architecture is similar to layers, so according to the network
environment, the network administrator can add or remove the
layers. 'f a new updated version of detection comes in future, then
it will be very easy to add the layer with our proposed system. "e
also tested our system by launching various attacks to the system,
and we found how the system detects and reacts according to the
developed ')*. As a future work, this work can be e!tended as not
only to detect attacks and also to prevent attacks. As mentioned
earlier, our proposed system allows adding new layers, the
prevention layer functionality layer can also be added with our
system, as a future work.
:-B-:-(D-*5
Ale!ander ,ofmann and $ernhard *ick, 0.nline 'ntrusion Alert
Aggregation with /enerative )ata *tream odeling1, '---
Transactions on )ependable and *ecure Domputing, 7ol. J, (o. 8,
arch K April 8<==.
;apil ;umar /upta, $aikunth (ath and :amamohanarao ;otagiri,
0@ayered Approach using Donditional :andom Bields for
'ntrusion )etection1, '--- Transactions on )ependable and *ecure
Domputing, 7ol.I, (o.=, Canuary-arch 8<=<.
L=M *. A!elsson, 0'ntrusion )etection *ystems5 A *urvey and
Ta!onomy,1 Technical :eport %%-=>, )ept. of Domputer -ng.,
Dhalmers ?niv. of Technology, 8<<<.
L8M .:. -ndsley, 0Theoretical ?nderpinnings of *ituation
Awareness5 A Dritical :eview,1 *ituation Awareness Analysis and
easurement, .:. -ndsley and ).C. /arland, eds., chapter =, pp.
E-E8, @awrence -rlbaum Assoc., 8<<<.
LEM D.. $ishop, 6attern :ecognition and achine @earning.
*pringer, 8<<&.
L9M .:. ,en+inger, 6. :aghavan, and *. :a2agopalan, Domputing
on )ata *treams. Am. ath. *oc., =%%%.
L>M A. Allen, 0'ntrusion )etection *ystems5 6erspective,1
Technical :eport )6:.-%>E&I, /artner, 'nc., 8<<E.
L&M B. 7aleur, /. 7igna, D. ;ruN gel, and :.A. ;emmerer, 0A
Domprehensive Approach to 'ntrusion )etection Alert
Dorrelation,1 '--- Trans. )ependable and *ecure Domputing, vol.
=, no. E, pp. =9&-=&%, Culy-*ept. 8<<9.
LIM ,. )ebar and A. "espi, 0Aggregation and Dorrelation of
'ntrusion-)etection Alerts,1 :ecent Advances in 'ntrusion
)etection, ". @ee, @. e, and A. "espi, eds., pp. J>-=<E,
*pringer, 8<<=.
LJM ). @i, O. @i, and C. a, 06rocessing 'ntrusion )etection Alerts
in @arge-*cale (etwork,1 6roc. 'ntHl *ymp. -lectronic Dommerce
and *ecurity, pp. >9>->9J, 8<<J.
L%M B. Duppens, 0anaging Alerts in a ulti-'ntrusion )etection
-nvironment,1 6roc. =Ith Ann. Domputer *ecurity Applications
Donf. (AD*AD H<=), pp. 88-E=, 8<<=.
L=<M A. 7aldes and ;. *kinner, 06robabilistic Alert Dorrelation,1
:ecent Advances in 'ntrusion )etection, ". @ee, @. e, and A.
"espi, eds. pp. >9-&J, *pringer, 8<<=.
L==M ;. Culisch, 0?sing :oot Dause Analysis to ,andle 'ntrusion
)etection Alarms,1 6h) dissertation, ?niversitaN t )ortmund,
8<<E. ,.BA(( A() *'D;5 .(@'(- '(T:?*'.( A@-:T
A//:-/AT'.( "'T, /-(-:AT'7- )ATA *T:-A
.)-@'(/ 8%E
L=8M T. 6ietras+ek, 0Alert Dlassification to :educe Balse 6ositives
in 'ntrusion )etection,1 6h) dissertation, ?niversitaN t Breiburg,
8<<&.
L=EM B. Autrel and B. Duppens, 0?sing an 'ntrusion )etection Alert
*imilarity .perator to Aggregate and Buse Alerts,1 6roc. Bourth
Donf. *ecurity and (etwork Architectures, pp. E=8-E88, 8<<>.
L=9M /. /iacinto, :. 6erdisci, and B. :oli, 0Alarm Dlustering for
'ntrusion )etection *ystems in Domputer (etworks,1 achine
@earning and )ata ining in 6attern :ecognition, 6. 6erner and
A. 'miya, eds. pp. =J9-=%E, *pringer, 8<<>.
L=>M .. )ain and :. Dunningham, 0Busing a ,eterogeneous Alert
*tream into *cenarios,1 6roc. 8<<= AD "orkshop )ata ining
for *ecurity Applications, pp. =-=E, 8<<=.
L=&M 6. (ing, 4. Dui, ).*. :eeves, and ). Au, 0Techni#ues and
Tools for Analy+ing 'ntrusion Alerts,1 AD Trans. 'nformation
*ystems *ecurity, vol. I, no. 8, pp. 8I9-E=J, 8<<9.
L=IM B. Duppens and :. .rtalo, 0@A$)A5 A @anguage to odel
a )atabase for )etection of Attacks,1 :ecent Advances in
'ntrusion )etection, ,. )ebar, @. e, and *.B. "u, eds. pp. =%I
8=&, *pringer, 8<<<.
L=JM *.T. -ckmann, /. 7igna, and :.A. ;emmerer, 0*TAT@5 An
Attack @anguage for *tate-$ased 'ntrusion )etection,1 C. computer
*ecurity, vol. =<, nos. =F8, pp. I=-=<E, 8<<8.
L=%M A. ,ofmann, 0Alarmaggregation und
'nteressantheitsbewertung in einem de+entralisierten
Angriffserkennungsystem,1 6h) dissertation, ?niversitaNt 6assau,
under review.
L8<M .*. *hin, ,. oon, ;.,. :yu, ;. ;im, and C. ;im,
0Applying )ata ining Techni#ues to Analy+e Alert )ata,1 "eb
Technologies and Applications, A. Ohou, 4. Ohang, and .-.
.rlowska, eds. pp. =%E-8<<, *pringer, 8<<E.
REFERENCES:
Ale!ander ,ofmann and $ernhard *ick, 0.nline 'ntrusion Alert Aggregation with
/enerative )ata *tream odeling+, IEEE Trn'#ti!n' !n De-en."le n.
Se#&re C!%-&tin), /!l0 1, N!0 2, Mr#3 4 A-ril 2566.
;apil ;umar /upta, $aikunth (ath and :amamohanarao ;otagiri, 0@ayered
Approach using Donditional :andom Bields for 'ntrusion )etection1, '---
Transactions on )ependable and *ecure Domputing, 7ol.I, (o.=, Canuary-arch
8<=<.