Learning Center
Plans & pricing Sign in
Sign Out

Alert Correlations in Intrusion Detection systems


									   International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                                    ISSN Online: 2319 – 9253
                                                                                          Print: 2319 – 9245

         Alert Correlations in Intrusion Detection systems
                          P.Sai Prasad[1]            J.KrishnaVeni [2]

             1.   Asst. Professor,Dept. of CSE, Sanjeevani College of Engineering, Kopargaon, Shiridi
             2. HOD, Dept. of IT,VivekanandaInstitute of Technology and Science, Karimnagar

          Wireless sensors usage is drastically improved in the world, to provide the security was tedious task
due to lot of constraints. The sensor networks has the challenges to overcome the problems of energy, memory
usage and computation power finally quality assurance issues. So privacy preservation is scheme to provide the
security to the sensor networks we are adding some more enhanced parameters like identity routing, location,
identity etc. by this will achieve reliability and cost worthiness .

Keywords: privacy; routing; wireless sensor networks, IRLScheme, network model

    I.       INTRODUCTION                                     II.      TYPES OF IDS
    An intrusion detection system (IDS) is a             For the purpose of dealing with IT, there are
device or software application that monitors             three main types of IDS:
network or system activities for malicious
                                                             1. Network          intrusion      detection
activities or policy violations and produces
                                                                  system (NIDS)
reports to a Management Station. Some systems
may attempt to stop an intrusion attempt but this        Nids is an independent platform that identifies
is neither required nor expected of a monitoring         intrusions by examining network traffic and
system. Intrusion detection and prevention               monitors multiple hosts, developed in 1986 by
systems (IDPS) are primarily focused on                  Pete R. Network intrusion detection systems
identifying     possible    incidents,    logging        gain access to network traffic by connecting to
information about them, and reporting attempts.          a network     hub, network     switch configured
In addition, organizations use IDPSes for other          for port mirroring, or network tap. In a NIDS,
purposes, such as identifying problems with              sensors are located at choke points in the
security policies, documenting existing threats          network to be monitored, often in
and deterring individuals from violating security        the demilitarized zone (DMZ) or at network
policies. IDPSes have become a necessary                 borders. Sensors capture all network traffic and
addition to the security infrastructure of nearly        analyzes the content of individual packets for
every organization.[1]                                   malicious traffic. An example of a NIDS
                                                         is Snort.
IDPSes typically record information related to
observed events, notify security administrators               2. Host-based    intrusion            detection
of important observed events, and produce                        system (HIDS)
reports. Many IDPSes can also respond to a
detected threat by attempting to prevent it from
                                                         It consists of an agent on a host that identifies
succeeding. They use several response
                                                         intrusions by analyzing system calls, application
techniques, which involve the IDPS stopping the
                                                         logs, file-system modifications (binaries,
attack itself, changing the security environment
                                                         password files, capability databases, Access
(e.g. reconfiguring a firewall), or changing the
                                                         control lists, etc.) and other host activities and
attack's content.[1]
                                                         state. In a HIDS, sensors usually consist of
                                                         a software agent. Some application-based IDS
                                                         are also part of this category. Examples of HIDS
                                                         are Tripwireand OSSEC.

IJARAI.COM                                     Dec/2012                                              Page 52
   International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                              ISSN Online: 2319 – 9253
                                                                                    Print: 2319 – 9245

                                                     Cryptographic Anonymity Scheme (CAS) for
     3. Stack-based      intrusion     detection     establishing anonymity in clustered WSNs. The
        system (SIDS)                                SAS scheme use dynamic pseudonyms instead
This type of system consists of an evolution to      of true identity during communications. Each
the HIDS systems. The packets are examined as        sensor node needs to store a given range of
they go through the TCP/IP stack and, therefore,     pseudonyms that are non-contiguous.
it is not necessary for them to work with the
network interface in promiscuous mode. This           Therefore, the SAS scheme is not memory
fact makes its implementation to be dependent        efficient. On the other hand, the CAS scheme
on the Operating System that is being used.          uses keyed hash functions to generate
                                                     pseudonyms. This scheme is memory efficient
Intrusion detection systems can also be system-      as compare to the SAS but it requires more
specific using custom tools and honey pots.          computation power. The authors do not propose
                                                     any routing scheme. Sender node may always
 Privacy Schemes                                     send packets to the destination via shortest path.
A number of a privacy schemes [1, 3–7] have          In that case, for an adversary who is capable of
been proposed for WSNs that arediscussed             performing hop-by-hop trace back (with the help
below. phantom routing scheme for WSNs,              of direction information) can find out the
which helps to prevent the location of a source      location of the source node.
from the attacker. In this scheme, each message
reaches the destination in two phases: 1)            Y. Xi et al. [1] proposed a Greedy Random
awalking phase, in which the message is              Walk (GROW) scheme to protect the location of
unicasted in a random fashion within first hwalk     the source node. This scheme works in two
hops, 2) afterthat, the message is flooded using     phases. In a first phase, the sink node will set up
the baseline flooding technique. The major           a path through random walk with a node as a
advantage of their scheme                            receptor. Then the source node will forward the
is the source location privacy protection, which     packets towards the receptor in a random walk
improves as the network size and intensity           manner. Once the packet reaches at the receptor,
increase because of high path diversity. But on      it will forward the packet to the sink
the other hand, if the network size increases, the
flooding phase will consume more energy. This            III.    Wireless       Sensor       Networks
scheme does not provide identity privacy. Also,                  (WSNs)
it is unable to provide data secrecy in the
presence of identity privacy.                        Network level privacy has            often    been
                                                     categorized into four categories:
P. Kamat et al. [4] proposed a phantom single-
path routing scheme that works in a similar          1. Sender node identity privacy: no intermediate
fashion as the original phantom routing scheme       node can get any information about who is
[3]. The major difference between these two          sending the packets except the source, its
schemes is that after the walking phase, a packet    immediate neighbors and the destination,
will be forwarded to the destination via a single    2. Sender node location privacy: no intermediate
path routing strategy such as the shortest path      node can have any information about the
routing mechanism. This scheme consumes less         location (in terms of physical distance or number
energy and requires slightly higher memory as        of hops) about the sender node except the
compared to first one. This scheme also does not     source, its immediate neighbors and the
provide identity privacy. Also, it is unable to      destination,
provide data secrecy in the presence of identity     3. Route privacy: no node can predict the
privacy.                                             information about the complete path (from
                                                     source to destination). Also, a mobile adversary
S. Misra and G. Xue [5] proposed two schemes:        gets no clue to trace back the source node either
Simple Anonymity Scheme (SAS) and

IJARAI.COM                                  Dec/2012                                           Page 53
   International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                            ISSN Online: 2319 – 9253
                                                                                  Print: 2319 – 9245

from the contents and/or directional information        A. Network Model
of the captured packet(s)
4. Data packet privacy: no node can see the         A wireless sensor network (WSN) is composed
information inside in a payload of the data         of large number of small sensor nodes that are of
packet except the source and the destination.       limited resource and densely deployed in an
Existing privacy schemes such as [1, 3–7], that     environment. Whenever end users require
have specifically been proposed for WSNs only       information about any event related to some
provide partial network level privacy. Providing    object(s), they send a query to the sensor
a full network level privacy is a critical and      network via the base station.. And the base
challenging issue due to the constraints imposed    station propagates that query to the entire
by the sensor nodes (e.g., energy, memory and       network or to a specific region of the network.
computation power), sensor network (e.g.,           In response to that query, sensor nodes send
mobility and topology) and QoS issues (e.g.,        back required information to the base station. A
packet reach-ability and trustworthiness). Thus,    typical wireless sensor network scenario is
an energy-efficient privacy solution is needed to   shown in Figure 1. Links are bidirectional. Also,
address these issues.                               sensor nodes use IEEE 802.11 standard link
                                                    layer protocol, which keeps packets in its cache
        In order to achieve this goal, we           until the sender receives an acknowledgment
incorporate basic design features from related      (ACK). Whenever a receiver (next hop) node
research fields such as geographic routing and      successfully receives the packet it will send back
cryptographic systems. To our knowledge, we         an ACK packet to the sender. If the sender node
propose the first full network level privacy        does not receive an ACK packet during
solution for WSNs. Our contribution lies in         predefined threshold time, then the sender node
following features. A new Identity, Route and       will retransmit that For reason of scalability, it
Location (IRL) privacy algorithm is proposed        is assumed that no sensor node needs to know
that ensures the anonymity of source node’s         the global network topology, except that it must
identity and location. It also assures that the     know the geographical location of its own, its
packets will reach their destination by passing     neighboring nodes and the base station.[16]
through only trusted intermediate nodes.
                                                            This paper only focuses on the
• A new reliable Identity, Route and Location (r-   development of a prevention strategy against
IRL) privacy algorithm is proposed, which is the    network level privacy disclosure attacks, such as
extension of our proposed IRL algorithm. This       eavesdropping, traffic analysis and hop-by-hop
algorithm has the ability to forward packets from   trace back attacks. Other general attacks, such as
multiple secure paths to increase the packet        flooding attacks, could be detected and
reach-ability.                                      prevented by using any IDS scheme proposed
                                                    for WSNS.

                                                        B. Identity, Route, and Location Privacy
                                                    Our proposed identity, route and location
                                                    privacy scheme works in two phases. The first is
                                                    neighbor node state initialization phase, and the
                                                    second is routing phase.
                                                    Route Privacy: In initialization phase, let the
                                                    node i have m neighboring nodes in which t
                                                    nodes are trusted. So, 0 ≤ t ≤ m and M(t) = M(tF
                                                    ) ∪ M(tBr ) ∪ M(tBl) ∪ M(tBm). Here M(tF ),
                                                    M(tBr ), M(tBl), and M(tBm) represent the set of
Fig.1. Three sample cycle detection and             trusted nodes that are in the forward, right
prevention scenarios.                               backward, left backward, and middle backward

IJARAI.COM                                 Dec/2012                                          Page 54
   International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                              ISSN Online: 2319 – 9253
                                                                                    Print: 2319 – 9245

directions, respectively. These neighbor sets        15: Create Signature and save in buffer;
(M(tF ), M(tBr ), M(tBl), and M(tBm)) are            16: Forward packet to nexthop;
initialized and updated whenever a change occur      17: Set timer Δt = D dnexthop
in neighborhood. For example, the entrance of a      × pt;
new node, change of a trust value, etc.              18: while Δt = true do
                                                     19: Signature remains in buffer;
        Whenever a node needs to forward a           20: end while
packet, the routing phase (Algorithm 1 for           21: Signature removed from buffer;
source node and Algorithm 2 for intermediate
node) of IRL algorithm is called.                    IRL scheme.

         Whenever a source node (Algorithm 1)        This routing strategy may result in the creation
wants to forwards the packet, it will first check    of a cycle (loop). However, due to the
the availability of the trusted neighboring nodes    randomness in the selection of the next-hop and
in its forward direction setM(tF ) (Line 2). If      the presence of the different four direction sets,
trusted nodes exists then it will randomly select    the probability of creation of any cycle is very
one node as a next hop (Line 3) from the             low. Nevertheless, in order to fully avoid the
setM(tF ) and forward the packet towards it          occurrence of the cycles, each node (prior to
(Lines 13:21). If there is no trusted node in its    forwarding of a packet) will save the signature
forward direction, then the source node will         of the packet in the buffer for the δt time, that is
check the availability of a trusted node in the
right (M(tBr )) and left (M(tBl)) backward sets.     δt = 2(Dd× pt)
If the trusted nodes are available then the source
node will randomly select one node as a next         where D is the distance between the forwarding
hop (Line 3) from these sets and forward the         node and the base station, d is the distance
packet towards it (Lines 13:21). If the trusted      between the forwarding node and the next hop,
node does not exist in these sets either, then the   and pt is the propagation transfer time between
source node will randomly select (Line 8) one        the forwarding node and the next hop. This
trusted node from the backward middle set            signature consists of two fields: (1) sequence
(M(tBm)) and forward the packet towards it           number of the packet, and (2) the payload. The
(Lines 13:21). If there are no trusted nodes         potential of the signature to compare and
available in                                         identify the same packet is detailed in the later
all of the sets then the packet will be dropped      section. Corresponding to this signature, three
(Line 9:10).                                         more fields are also stored in the buffer: (1)
                                                     previous hop identity, (2) next hop identity
Algorithm 1 IRL - Routing at Source Node.            where the packet is forwarded, and (3) counter,
1: prevhop ← ∅ ; nexthop ← ∅ ;                       that tells how many times the same packet is
2: if M(tF ) = ∅ then                                received by the node. This information will later
3: nexthop(k) = Rand(M(tF ));                        be used to get rid of any cycle. The size of the
4: else                                              buffer is mainly dependent on the network
5: if M(tBr ) ∪ M(tBl) = ∅ then                      traffic conditions. However, it is expected
6: nexthop(k) = Rand(M(tBr ) ∪ M(tBl));              to be low due because the sensor nodes sent data
7: else if M(tBm) = ∅ then                           either in periodic intervals or upon the
8: nexthop(k) = Rand(M(tBm));                        occurrence of some event.
9: else
10: Drop packet and Exit;                                IV.     CORRELATION PROCESS
11: end if
12: end if                                           The main objective of the correlation process is
13: Set prevhop = myid;                              to produce a succinct overview of security-
14: Form pkt p = {prevhop; nexthop; seqID;           related activity on the network. This process
payload};                                            consists of a collection of components

IJARAI.COM                                  Dec/2012                                            Page 55
   International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                               ISSN Online: 2319 – 9253
                                                                                     Print: 2319 – 9245

that transform intrusion detection sensor alerts      identifying common attack patterns such as
into intrusion reports. Because alerts can refer to   island-hopping attacks.
different kinds of attacks at different levels of
granularity, the correlation process cannot treat     These patterns are composed of a sequence of
all alerts equally. Instead, it is necessary to       individual attacks, which can occur at different
provide a set of components that focus on             points in the network.
different aspects of the overall correlation task.    The final components of the correlation process
a graphical representation of the integrated          contextualize the alerts with respect to a specific
correlation process that we implemented. The          target network. The impact analysis component
first two tasks are performed on all alerts. In the   determines the impact of the detected attacks on
initial phase, a normalization component              the operation of the network being monitored
translates every alert that is received into a        and on the assets that are targeted by the
standardized format that is understood by all         malicious activity. Based on this analysis, the
correlation components. This is necessary             prioritization component assigns an appropriate
because alerts from different sensors can be          priority to every alert. This priority information
encoded in different formats.                         is important for quickly discarding information
                                                      that is irrelevant or of less importance to a
         Next, a preprocessing component              particular site.
augments the normalized alerts so that all
required alert attributes (such as start-time,end-    Alerts that are correlated by one component of
time, source, and target of the attack) are           our framework are used as input by the next
assigned meaningful values. The next four             component. However, it is not necessary that all
correlation components of our framework all           alerts pass through the same components
operate on single, or closely related, events.        sequentially. Some components can operate in
                                                      parallel, and it is even possible that alerts output
The fusion component is responsible for               by a sequence of components are fed back as
combining alerts that represent the independent       input to a previous component of the process.
detection of th same attack instanceby different
intrusion detection systems. The task of the          ACARM-ng (Alert Correlation, Assessment and
verification component is to take a single alert      Reaction Module - next generation) is an open
and determine the success of the attack that          source IDS/IPS system. ACARM-ng is an alert
corresponds to this alert. The idea is that alerts    correlation software which can significantly
that correspond to failed attacks should be           facilitate analyses of traffic in computer
appropriately tagged and their influence on the       networks. It is responsible for collection and
correlation process should be decreased. The          correlation of alerts sent by network and host
task of the thread reconstruction component is to     sensors,         also         referred         to
combine a series of alerts that refer to attacks      as NIDS and HIDS respectively.        Correlation
launched by a single attacker against a single        process aims to reduce the total number of
target. The attack session reconstruction             messages that need to be viewed by a system
component associates network-based alerts with        administrator to as few as possible by merging
host-based alerts that are related to the same        similar events into groups representing logical
attack. The next two components in our                pieces of malicious activity.
framework operate on alerts that involve a
potentially large number of different hosts. The      Architecture
focus recognition component has the task of           ACARM-ng consists of 3 main elements:
identifying hosts that are either the source or the   correlation daemon, WUI and (optional) a
target of a substantial number of attacks. This is    database engine.
used to identify denial-of-service (DoS) attacks
or port scanning attempts. The multistep              ACARM-ng's daemon has been designed from
correlation component has the task of                 scratch as a framework solution. It provides core
                                                      system functionalities, like logging, alerts and

IJARAI.COM                                   Dec/2012                                            Page 56
    International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                                                   ISSN Online: 2319 – 9253
                                                                                         Print: 2319 – 9245

correlated meta-alerts passing between system            The WUI and the daemon interoperate through a
parts, error recovery, multi-threading, etc.. The        database. Daemon stores gathered data along
rest of the package are plug-ins, separated into         with the correlation results and its runtime
following classes:                                       configuration. WUI is entitled to read and
                                                         display this data.
   persistency (data abstraction)                       Notice that even though data base engine is not
   input (data gathering)                               required for running daemon, it is strongly
   filter (data correlation and modification)           recommended to save data persistently.
   trigger (automatic reporting and reaction)           Rejecting to use database makes it impossible to
Built-in software watchdog provides up-to-date           obtain system information via WUI and leads to
information on system status.                            a loss of historical data when system is restarted.
                                                         Events that are no longer processed by the
                                                         daemon are discarded as well.
                                                                V.     CONCLUSION
                                                         Previous privacy schemes are provides only
                                                         limited features we are now providing the
                                                         solutions for it by considering memory , sensor
                                                         networks, and qos issues. We described a multi
                                                         component correlation process and a framework
                                                         that performs the correlation analysis. The most
                                                         complete set of components in the correlation
                                                         process. Therefore, in this paper we proposed
                                                         the first full network level privacy solution that
WUI makes browsing of correlated data easy via           is composed of two new identity, route and
graphical and tabular representation of gathered         location privacy algorithms and data privacy
and correlated events. System administrator can          mechanism. Our solutions provide additional
easily see what is going on at every moment of           trustworthiness and reliability at modest cost of
system's lifetime.Alert time series plot showing         energy and memory.
the number of incoming messages during given
time period.The alert's page showing a sample

REFERENCES                                                 4.    Kamat, P.; Zhang, Y.; Trappe, W.; Ozturk, C.
                                                                 Enhancing Source-Location Privacy in Sensor
    1.   Xi, Y.; Schwiebert, L.; Shi, W. Preserving              Network Routing. In Proceedings of the 25th
         Source Location Privacy in Monitoring-Based             IEEE International conference on Distributed
         Wireless Sensor Networks. In Proceedings of             Computing Systems, Columbus, OH, USA,
         Parallel     and    Distributed   Processing            2005; pp. 599–608.
         Symposium (IPDPS2006), Rhodes Island,             5.    A Comprehensive Approach to Intrusion
         Greece, 2006.                                           Detection Alert Correlation Fredrik Valeur,
    2.   Habitat monitoring on Great Duck Island                 Giovanni Vigna, Member, IEEE, Christopher
         (Maine, USA), 2002. Available online:                   Kruegel, Member, IEEE, and Richard A.
         http://ucberkeley.                    citris-           Kemmerer, Fellow, IEEE duck island        6.    Wood, A.D.; Fang, L.; Stankovic, J.A.; He, T.
         (accessed on 21 August, 2009).                          SIGF: A Family of Configurable, Secure
    3.   Ozturk, C.; Zhang, Y.; Trappe,W. Source-                Routing Protocols for Wireless Sensor
         Location Privacy in Energy-Constrained                  Networks. In Proceedings of the 4th ACM
         Sensor NetworkRouting. In Proceedings of the            Workshop on Security ofAd Hoc and Sensor
         2nd ACM workshop on Security of Ad hoc and              Networks, Alexandria, VA, USA, 2006; pp.
         Sensor Networks,Washington, DC, WA, USA,                35–48.
         2004; pp. 88–93.

IJARAI.COM                                   Dec/2012                                                Page 57
  International Journal Of Advanced Research and Innovations Vol.1, Issue .1
                                                          ISSN Online: 2319 – 9253
                                                                Print: 2319 – 9245

   7.   Ouyang, Y.; Le, Z.; Chen, G.; Ford, J.;
        Makedon, F. Entrapping Adversaries for
        Source Protection in Sensor Networks. In
        Proceedings of the 2006 International
        Symposium on a World of Wireless,Mobile and
        Multimedia     Networks     (WoWMoM’06),
        Niagara-Falls, Buffalo, NY, USA, 2006;pp.
   8.   Zorzi, M.; Rao, R.R. Geographic Random
        Forwarding (GeRaF) for Ad Hoc and Sensor
        Networks: Multihop Performance. IEEE Tran.
        Mob. Comput. 2003, 2, 337–348.
   9.   Zorzi, M.; Rao, R.R. Geographic Random
        Forwarding (GeRaF) for Ad Hoc and Sensor
        Networks: Energy and Latency Performance.
        IEEE Tran. Mob. Comput. 2003, 2, 349–365.

   10. Capone, A.; Pizziniaco, L.; Filippini, I.; de la
       Fuente, M.G. SiFT: An Efficient Method
   11. for Trajectory Based Forwarding. In
       Proceedings of International Symposium on
       Wireless Communication Systems, Siena, Italy,
       2005; pp. 135–139.

   12. Blum, B.; He, T.; Son, S.; Stankovic, J. IGF: A
       State-Free Robust Communication Protocol
       for Wireless Sensor Networks; Technical
       Report CS-2003-11; Department of Computer
       Science,University of Virginia, USA, 2003
   13. RYU, J.; Kim, S.G.; Choi, H.H.; An, S.S.;
       Ahn, S.Y.; Kim, B.J. Method and System for
       Locating Sensor Node in Sensor Network
       Using Transmit Power Control. U.S. Patent
       Application: 2009/0128298 A1, 2009.
   14. Barbeau, M.; Kranakis, E.; Krizanc, D.;
       Morin, P. Improving Distance Based
       Geographic Location Techniques in Sensor
       Networks. In Proceedings of 3rd International
       Conference on Ad Hoc Networks and Wireless,
       Vancouver, British Columbia, 2004; pp. 197–
   15. Achieving Network Level Privacy in Wireless
       Sensor Networks Riaz Ahmed Shaikh 1,
       Hassan Jameel 2,‡, Brian J. d’Auriol 1, Heejo
       Lee 3, Sungyoung Lee 1,⋆and Young-Jae
       Song 1Karlof, C.; Sastry, N.; Wagner, D.
       TinySec: A Link Layer Security Architecture
       for Wireless Sensor Networks. In Proceedings
       of the 2nd International Conference on
       Embedded Networked.
   16. a comprehensive approach to intrusion
       detection alert correlation fredrik valeur,
       giovanni vigna, member, ieee, christopher
       kruegel, member, ieee, and richard a.
       kemmerer, fellow, IEEE TRANSACTIONS

IJARAI.COM                                    Dec/2012                    Page 58

To top