Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 78 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
78
Dung lượng
617,96 KB
Nội dung
DATA FUSION PROCESS REFINEMENT IN INTRUSION DETECTION ALERT CORRELATION SYSTEMS A Thesis Presented to The Graduate Faculty of The University of Akron In Partial Fulfillment of the Requirements for the Degree Master of Science David Sheets May, 2009 ii DATA FUSION PROCESS REFINEMENT IN INTRUSION DETECTION ALERT CORRELATION SYSTEMS David Sheets Thesis Approved: Accepted: _______________________________ _______________________________ Advisor Dean of the College Dr. Xuan-Hien Thi Dang Dr. Ronald F. Levant _______________________________ _______________________________ Faculty Reader Dean of the Graduate School Dr. Yingcai Xiao Dr. George R. Newkome _______________________________ _______________________________ Faculty Reader Date Dr. Zhong-Hui Duan _______________________________ Department Chair Dr. Wolfgang Pelz iii ABSTRACT Computer systems are getting larger in size, contain a greater variety and volume of data, and communicate personal and confidential information, making security critical as well as making them appealing targets for malicious activities. The need to keep these systems secure has been approached from several different aspects, one of which is the employment of intrusion detection systems. An evolution of the intrusion detection system occurs in alert correlation systems, which take raw alerts from numerous sensors within a network and generate broader situational awareness by combining the individual findings of each sensor into a bigger picture state of the system. This study looks at improving the ability of an existing alert correlation system to pull all the relevant pieces of an intrusion into that picture in order to further reduce the output, enabling quicker analysis by a system administrator. Through experimentation and analysis, the benefits of utilizing the look-ahead system have demonstrated an ability to decrease the total number of alerts in the system, thereby reducing the work-load of system administrators by increasing the ability of the system to reduce the overall number of alerts the administrator must analyze. iv ACKNOWLEDGEMENTS It is with deep gratitude that I thank the people who have helped make accomplishing this thesis possible. I would like to thank my wife Kristen, who for so long put up with me paying more attention to the thesis and academic works than to her. Her patience and contributions were instrumental to reaching completion. Dr. Xuan-Hien Thi Dang, my thesis advisor, who worked with me through the arduous task of completing a master’s degree while working full-time (and often greater than full-time). Her advice provided the key elements that allowed the research and work combine smoothly into this thesis. Dr. Yingcai Xiao and Dr. Zhong-Hui Duan, who took the time out of their busy schedules near the end of the semester to provide invaluable feedback. This allowed the paper to take shape and to become a complete work. Their efforts and dedication have provided the critical finishing touches. I would also like to extend my appreciation to BGI-LLC and my professional colleagues who allowed me the time and resources to complete this endeavor. If not for their commitment, I would have never been able to dedicate myself to this achievement. v TABLE OF CONTENTS Page LIST OF TABLES viii LIST OF FIGURES x CHAPTER I. INTRODUCTION 1 1.1 Statement of the Problem 1 1.2 Importance of the Study 2 1.3 Objectives 3 1.4 Contributions 5 1.5 Organization of the Thesis 6 II. BACKGROUND OF THE STUDY 7 2.1 Intrusion Detection 7 2.2 Data Fusion 8 2.3 Alert Correlation 10 2.4 Data Sets 11 vi 2.5 Alert Message Standardization 11 2.6 Correlation Engine Framework (STAT) 12 2.6.1 Data Fusion and Alert Correlation Concepts 12 2.6.2 Correlation Framework 14 2.6.3 AlertSTAT Framework 17 2.6.4 Limitations 20 III. ALERT CORRELATION WITH LOOK-AHEAD 25 3.1 Correlation Process 25 3.2 Dynamic Time Window 26 3.3 Process refinement through a look-ahead 27 3.3.1 Algorithm 28 3.3.2 Applying the Dynamic Time Window 30 3.3.3 Providing Early Notification 31 3.3.4 Look-Ahead System 31 3.3.5 Benefits for process refinement 32 3.4 Examples 33 3.5 Example Output 38 3.6 Metrics 41 vii IV. RESULTS AND ANALYSIS 45 4.1 Experiments 45 4.1.1 Data Sets 45 4.1.2 Execution 47 4.2 Results 47 4.3 Analysis 60 V. SUMMARY 63 5.1 Conclusion 63 5.2 Future Work 63 5.2.1 Improvements to the look-ahead 63 5.2.2 Further process refinement 64 5.2.3 Visualization 64 5.2.4 STAT Compiler Updates 65 BIBLIOGRAPHY 66 viii LIST OF TABLES Table Page 2.6-1 Output from static window example in Figure 2.6-4 23 3.4-1 Output from dynamic window example in Figure 3.4-1 34 3.4-2 Time window sizes in Figure 3.4-1 35 3.4-3 Output from extended static window example in Figure 3.4-2 38 4.1-1 Test platform 45 4.1-2 Statistics of available data sets 46 4.2-1 Overall results for full data set with default 120 second time windows 48 4.2-2 Overall results for full data set with session time window of 1,200 seconds 48 4.2-3 Session results for full data set with 120 second time window 49 4.2-4 Session results for full data set with 1,200 second time window 49 4.2-5 One2Many results for full data set with 120 second session time window 50 4.2-6 One2Many results for full data set with 1,200 second session time window 50 4.2-7 Many2One results for full data set with 120 second session time window 50 4.2-8 Many2One results for full data set with 1,200 second session time window 51 4.2-9 False positive predictions on 120 second session time window 53 ix 4.2-10 False positive predicitions on 1,200 second session time window 53 4.2-11 Results for subset 1 54 4.2-12 Results for subset 2 55 4.2-13 Results for subset 3 56 4.2-14 Results for subset 4 57 4.2-15 Results for subset 5 58 4.2-16 Results for subset 6 59 4.2-17 Results for subset 7 60 x LIST OF FIGURES Figure Page 2.2-1 Data fusion example using alerts 9 2.6-1 Alert correlation concept associated with data fusion 13 2.6-2 The AlertSTAT system implementation 19 2.6-3 Basis for correlation examples 22 2.6-4 Correlation example with static time window 23 3.3-1 Pseudo-code for calculating the dynamic window extension 29 3.3-2 Pseudo code for the window timer calculation 30 3.3-3 Look-ahead depth and technique used 32 3.4-1 Correlation example dynamic window with look-ahead depth of 2 34 3.4-2 Correlation example with extended static windows 37 3.5-1 Example output 40 3.5-2 Example IDMEF correlation alert 41 3.6-1 Example affect of a look-ahead false positive 43 4.2-1 Stacked plot of reduction with 120 second session time window on full data 51 4.2-2 Stacked plot of reduction with 1,200 second session time window on full data 52 [...]... pulling alerts together into a correlated picture However, studying this alert correlation concept in light of existing and mature data fusion 4 models shows that the process refinement level provided in data fusion is lacking in the alert correlation concept The process refinement level in data fusion provides the critical function of utilizing information in the system to refine the picture generated... algorithms for intrusion detection alert correlation One method, filtering, is simply the filtering of single alerts based on certain criteria Another method is fusing, which takes two alerts and compares certain criteria looking for a match When a match is found, these two alerts are fused into a single alert In the case of the AlertSTAT component, these new alerts are correlation alerts The final method... standardized approach The Internet Engineering Task Force (IETF) created the Intrusion Detection Working Group (IDWG) in order to define a common standard for exchanging intrusion detection messages This effort builds upon preliminary work as well as the Common Intrusion Detection Format (CIDF) This working group developed the Intrusion Detection Message Exchange Format (IDMEF) in order to address the... while improving the ability of each component to process incoming alerts The original correlation system operates in a primarily sequential order, as discussed in section 2.6.3, handing off incoming alerts to the first component as inputs Each component processes its input alerts, performing its assigned tasks, and then decides whether to output the alert back to the core for continued processing or to... time window Table 2.6-1 Output from static window example in Figure 2.6-4 Output Alert 2 (correlation with Alert 4 did not occur) Alert A1,3 (correlation with Alert 5 did not occur) Alert 4 (correlation with Alert 2 did not occur) Alert 6 removed from system Alert 5 (correlation with Alert A1,3 did not occur) 23 Time t4 t5 t7 t7 t8 There are six total alerts in the example in Figure 2.6-4 that are being... security, it is being applied to intrusion detection in the form of alert correlation These correlation systems have proven themselves as major advancements with great potential to provide crucial capabilities to computer security [2] However, the data fusion picture is incomplete and the alert correlation and data fusion communities sometimes diverge in methodology By studying the evolved data fusion models... administrator, primarily through the employment of intrusion detection and data fusion centered on the need for enhancing computer security The amount of effort put into these areas individually is extensive and the combination of these fields is beginning to take the spotlight as we try to glean information from the variety of data available Intrusion detection systems have become a valuable tool in. .. refinement, which includes the continual refinement of the big 12 picture generated by the other levels of the data fusion This correlation concept has been mapped to the revised JDL data fusion levels where applicable in Figure 2.6-1 Sub-Object Assessment ID Sensor Network Normalization Sensor Events Pre-Processing Convert Event to common format Fill in missing information Object Assessment Alert Fusion. .. shrink the window to increase throughput when it’s not needed This combination provides the benefits of reducing the data set through additional correlations while maintaining early warning and notification of the correlations within the data stream Furthermore, the dynamic time window calculations save time required to manually adjust static windows in order to reap the benefits of additional correlation. .. ideas for advancing this area 6 CHAPTER II BACKGROUND OF THE STUDY This study involves the area of computer security with a focus on intrusion detection systems This is further scoped to the specific area of alert correlation via Data Fusion This section discusses the background related to this study 2.1 Intrusion Detection Intrusion Detection Systems (IDS) perform a variety of roles, using a variety . the process refinement level provided in data fusion is lacking in the alert correlation concept. The process refinement level in data fusion provides the critical function of utilizing information. DATA FUSION PROCESS REFINEMENT IN INTRUSION DETECTION ALERT CORRELATION SYSTEMS A Thesis Presented to The Graduate Faculty of The University of Akron In Partial Fulfillment. the intrusion detection system occurs in alert correlation systems, which take raw alerts from numerous sensors within a network and generate broader situational awareness by combining the individual