Hybrid of structural-causal and statistical model for intrusion alert correlation

The evolutions of computer network attacks have urged many organizations to install multiple Network Intrusion Detection Systems (NIDSs) for complete monitoring and detection of intrusions. Such solution produces enormous number of alerts due to repeated and false positive alerts. This contributes t...

Full description

Saved in:
Bibliographic Details
Main Author: Md. Sirat @ Md. Siraj, Maheyzah
Format: Thesis
Language:English
Published: 2013
Subjects:
Online Access:http://eprints.utm.my/id/eprint/33791/5/MaheyzahMdSiratPFSKSM2013.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-utm-ep.33791
record_format uketd_dc
spelling my-utm-ep.337912017-07-24T01:05:39Z Hybrid of structural-causal and statistical model for intrusion alert correlation 2013-02 Md. Sirat @ Md. Siraj, Maheyzah TK Electrical engineering. Electronics Nuclear engineering The evolutions of computer network attacks have urged many organizations to install multiple Network Intrusion Detection Systems (NIDSs) for complete monitoring and detection of intrusions. Such solution produces enormous number of alerts due to repeated and false positive alerts. This contributes to low quality alerts and makes manual Alert Correlation (AC) tedious, labour intensive and error prone. Besides that, alerts are also unformatted, unlabelled and unstructured. Thus, the actual attack strategy cannot be recognized. The existing AC models have few limitations. They only provide single type of correlation and rely on a large number of static predetermined rules to correlate alerts. Consequently, alerts are not being correlated completely and rules need to be manually updated regularly. Therefore, this research proposes a new automated Hybrid-based AC (HAC) model that provides complete correlation in terms of structural, causal and statistical. The purpose is to improve the quality of alerts as well as to recognize the attack strategy through alerts patterns. To accomplish this, it hybridizes Improved Unit Range (IUR), Principal Component Analysis (PCA), Expectation Maximization (EM) algorithm, Levenberg-Marquardt (LM) Backpropagation algorithm and statistical correlation tests to optimally recognize the known and new steps and stages of an attack strategy. New post-clustering algorithms are proposed and become part of the hybridization to filter out the low quality alerts. HAC is successfully experimented using DARPA 2000 benchmark dataset onto signature-based RealSecure Version 6.0 NIDSs. The experimental results validate that HAC optimally correlate the alerts with 98.72% of correlation completeness (Rc) and 3.45 seconds of execution time. This shows that HAC is effective and practical in providing complete correlation even on high dimensionality, large scaled and low quality dataset. 2013-02 Thesis http://eprints.utm.my/id/eprint/33791/ http://eprints.utm.my/id/eprint/33791/5/MaheyzahMdSiratPFSKSM2013.pdf application/pdf en public http://dms.library.utm.my:8080/vital/access/manager/Repository/vital:69760?site_name=Restricted Repository phd doctoral Universiti Teknologi Malaysia, Faculty of Computing Faculty of Computing
institution Universiti Teknologi Malaysia
collection UTM Institutional Repository
language English
topic TK Electrical engineering
Electronics Nuclear engineering
spellingShingle TK Electrical engineering
Electronics Nuclear engineering
Md. Sirat @ Md. Siraj, Maheyzah
Hybrid of structural-causal and statistical model for intrusion alert correlation
description The evolutions of computer network attacks have urged many organizations to install multiple Network Intrusion Detection Systems (NIDSs) for complete monitoring and detection of intrusions. Such solution produces enormous number of alerts due to repeated and false positive alerts. This contributes to low quality alerts and makes manual Alert Correlation (AC) tedious, labour intensive and error prone. Besides that, alerts are also unformatted, unlabelled and unstructured. Thus, the actual attack strategy cannot be recognized. The existing AC models have few limitations. They only provide single type of correlation and rely on a large number of static predetermined rules to correlate alerts. Consequently, alerts are not being correlated completely and rules need to be manually updated regularly. Therefore, this research proposes a new automated Hybrid-based AC (HAC) model that provides complete correlation in terms of structural, causal and statistical. The purpose is to improve the quality of alerts as well as to recognize the attack strategy through alerts patterns. To accomplish this, it hybridizes Improved Unit Range (IUR), Principal Component Analysis (PCA), Expectation Maximization (EM) algorithm, Levenberg-Marquardt (LM) Backpropagation algorithm and statistical correlation tests to optimally recognize the known and new steps and stages of an attack strategy. New post-clustering algorithms are proposed and become part of the hybridization to filter out the low quality alerts. HAC is successfully experimented using DARPA 2000 benchmark dataset onto signature-based RealSecure Version 6.0 NIDSs. The experimental results validate that HAC optimally correlate the alerts with 98.72% of correlation completeness (Rc) and 3.45 seconds of execution time. This shows that HAC is effective and practical in providing complete correlation even on high dimensionality, large scaled and low quality dataset.
format Thesis
qualification_name Doctor of Philosophy (PhD.)
qualification_level Doctorate
author Md. Sirat @ Md. Siraj, Maheyzah
author_facet Md. Sirat @ Md. Siraj, Maheyzah
author_sort Md. Sirat @ Md. Siraj, Maheyzah
title Hybrid of structural-causal and statistical model for intrusion alert correlation
title_short Hybrid of structural-causal and statistical model for intrusion alert correlation
title_full Hybrid of structural-causal and statistical model for intrusion alert correlation
title_fullStr Hybrid of structural-causal and statistical model for intrusion alert correlation
title_full_unstemmed Hybrid of structural-causal and statistical model for intrusion alert correlation
title_sort hybrid of structural-causal and statistical model for intrusion alert correlation
granting_institution Universiti Teknologi Malaysia, Faculty of Computing
granting_department Faculty of Computing
publishDate 2013
url http://eprints.utm.my/id/eprint/33791/5/MaheyzahMdSiratPFSKSM2013.pdf
_version_ 1747816186026917888