Alerts Clustering for Intrusion Detection Systems: Overview and Machine Learning Perspectives

Alhakami, Wajdi

doi:10.14569/ijacsa.2019.0100574

Cited by 8 publications

(3 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At the same time, they find a lot of time is wasted in investing in non-serious warnings (low precision), but many serious alerts are still lost. In [33] the authors divide alerts into low-and high-level alerts and point out that high-level alert management is a potential task that helps the administrator to analyze alerts correctly and to allocate time and effort.…”

Section: Literature Reviewmentioning

confidence: 99%

Wk-fnn design for detection of anomalies in the computer network traffic

Protic

Stanković

Antic

2022

Facta Univ Electron Energ

View full text Add to dashboard Cite

Anomaly-based intrusion detection systems identify abnormal computer network traffic based on deviations from the derived statistical model that describes the normal network behavior. The basic problem with anomaly detection is deciding what is considered normal. Supervised machine learning can be viewed as binary classification, since models are trained and tested on a data set containing a binary label to detect anomalies. Weighted k-Nearest Neighbor and Feedforward Neural Network are high-precision classifiers for decision-making. However, their decisions sometimes differ. In this paper, we present a WK-FNN hybrid model for the detection of the opposite decisions. It is shown that results can be improved with the xor bitwise operation. The sum of the binary ?ones? is used to decide whether additional alerts are activated or not.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Wk-fnn design for detection of anomalies in the computer network traffic

Protic

Stanković

Antic

2022

Facta Univ Electron Energ

View full text Add to dashboard Cite

show abstract

“…Alert Correlation (AC) is the core of the attack scenario construction process. AC takes a set of alerts produced by one or more NIDSs as input and generates a highlevel view of occurring or attempted intrusions [7]. It finds and discovers the relationships among unrelated alerts and their attributes that reveal the behavior of the attacker by finding similarity or causality between the alerts [3] and [11].…”

Section: Motivation and Related Workmentioning

confidence: 99%

“…However, the Security Analyst (SA) cannot capture the logical steps or scenarios behind these attacks, due to fact that the NIDS triggers alerts independently in low-level information that describes individual attack steps and are not designed to recognize the attack plans or discover multistage attack scenarios [5]. Therefore, identifying the scenario of the attack directly from these alerts is unmanageable due to problems with detailing a low level of information [6] [7]. Existing works on attack scenario construction mainly either rely on knowledge-based methods to find the relation between alerts or aim to make an inference from statistical or machine learning analysis, which are more complex and higher in computational cost.…”

mentioning

confidence: 99%

An Effective Attack Scenario Construction Model based on Attack Steps and Stages Identification

Alhaj¹,

Siraj²,

Zainal³

et al. 2021

Preprint

View full text Add to dashboard Cite

A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of lowlevel alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of dataset, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

show abstract