Journal of KIISE:Databases (한국정보과학회논문지:데이타베이스)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

Classification of False Alarms based on the Decision Tree for Improving the Performance of Intrusion Detection Systems

침입탐지시스템의 성능향상을 위한 결정트리 기반 오경보 분류

  • 신문선 (건국대학교 컴퓨터시스템) ;
  • 류근호 (충북대학교 전기전자 컴퓨터공학부)
  • Published : 2007.12.15
Download PDF
⟨ Previous Next ⟩

Abstract

Network-based IDS(Intrusion Detection System) gathers network packet data and analyzes them into attack or normal. They raise alarm when possible intrusion happens. But they often output a large amount of low-level of incomplete alert information. Consequently, a large amount of incomplete alert information that can be unmanageable and also be mixed with false alerts can prevent intrusion response systems and security administrator from adequately understanding and analyzing the state of network security, and initiating appropriate response in a timely fashion. So it is important for the security administrator to reduce the redundancy of alerts, integrate and correlate security alerts, construct attack scenarios and present high-level aggregated information. False alarm rate is the ratio between the number of normal connections that are incorrectly misclassified as attacks and the total number of normal connections. In this paper we propose a false alarm classification model to reduce the false alarm rate using classification analysis of data mining techniques. The proposed model can classify the alarms from the intrusion detection systems into false alert or true attack. Our approach is useful to reduce false alerts and to improve the detection rate of network-based intrusion detection systems.

네트워크 기반의 침입탐지시스템에서는 수집된 패킷데이타의 분석을 통해 침입인지 정상행위 인지를 판단하여 경보를 발생 시키며 이런 경보데이타의 양은 기하급수적으로 증가하고 있다. 보안관리자는 이러한 대량의 경보데이타들을 분석하고 통합 관리하여 네트워크 보안레벨을 진단하거나 시간에 따른 적절한 대응을 하는데 유용하게 사용하여야 한다. 그러나 오경보의 비율이 너무 높아 경보 데이터들간의 상관관계 분석이나 고수준의 의미 분석에 어려움이 많으므로 분석결과에 대한 신뢰성이나 분석의 효율성이 낮아지는 문제점을 가진다. 이 논문에서는 데이타 마이닝의 분류 기법을 적용하여 오경보율을 최소화하는 방법을 제안한다. 결정트리기반의 분류 기법을 오경보 분류 모델로 적용하여 오경보들 중 실제는 공격이 아님에도 불구하고 공격이라 판단된 오경보를 정상으로 분류할 수 있는 경보 데이타 분류 모델을 설계하고 구현한다. 구현된 경보데이타 분류 모델은 오경보율을 최소화하므로 경보데이타의 분석 및 통합을 통해 경보메시지의 축약 및 침입탐지시스템의 탐지율을 높이는데 활용될 수 있다.

Keywords

References

  1. D. Anderson, T. Frivold, and A. Valdes, 'Next Generation Intrusion Detection Expert System (NIDES),' Technical Report SRI-CSL-95-07, 1995
  2. R.G. Bace, 'Intrusion Detection,' Macmillan Technology, 2000
  3. W. Lee, S. J. Stolfo, 'Data Mining Approaches for Intrusion Detection,' In Proceedings of the 7th USENIX Security Symposium, 1998
  4. W. Lee, Salvatore J. Stolfo and K. W. Mok, 'Mining Audit Data to Build Introduction Detection Models,' In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, 1998
  5. W. Lee and S. J. Stolfo, 'A Data Mining Framework for Building Intrusion Detection Models,' Columbia University, 2001
  6. M.V. Joshi, R.C. Agarwal, V. Kumar, 'Mining Needles in a Haystack: Classifying Rare Classes via Two-Phase Rule Induction,' ACM SIGMOD 2001
  7. E. Bloedon, et al., 'Data Mining for Network Intrusion Detection: How to get Started,' 2001
  8. A. Valdes and K. Skinner, 'Probabilistic Alert Correlation,' In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pages 54-68, 2001
  9. H. Debar and A.Wespi, 'Aggregation and Correlation of Intrusion-Detection Alerts,' In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pages 85-103, 2001
  10. P. Ning and Y. Cui., 'An Intrusion Alert Correlator based on Prerequisites of Intrusions,' Technical Report TR-2002-01, Department of Computer Science, 2002
  11. Cuppens, F. Miege, A., 'Alert Correlation in a Cooperative Intrusion Detection Framework,' In Proceedings of IEEE Symposium on Security and Privacy, 2002
  12. M. Klemettinen. 'A Knowledge Discovery Methodology for Telecommunication Network Alarm Data,' PhD thesis, University of Helsinky, 1999
  13. J. Ross Quinlan, 'C4.5: Programs for Machine Learning and Neural Networks,' 1993
  14. Snort. Open-source Network Intrusion Detection System. http://www.snort.org
  15. http://www.tcpdump.org Tcpdump/Libpcap
  16. http://ideval.ll.mit.edu Lincoln Lab MIT. DARPA 2000 Datasets
  17. C. Kruegel, T. Toth, 'Using Decision ITrees to Improve Signature-based Intrusion Detection,' In Proceedings of the 4th nternational Symposium on Recent Advances in Intrusion Detection, 2003
  18. S. Staniford, J. A. Hoagland, and J. M. McAlerney, 'Practical Automated Detection of Stealthy Portscans,' In Proceedings of ACM Computer and Communications Security IDS Workshop, 2000
  19. M.S. Shin, H.S.Moon, K.H. Ryu, J.O.Kim and K.Y.Kim, 'Applying Data Mining Techniques to Analyze Alert Data,' APWeb'03, LNCS 2642, pp.193-200, SpringerVerlag, 2003
  20. Moon Sun Shin, Keun Ho Ryu, 'Data Mining Methods for Alert Correlation Analysis,' IJCIS, Vol.4, No.4, pp.225-234, 2003
  21. M.S. Shin, K.J. Jeong, 'Alert Data Mining Framework for Intrusion Detection System,' WISA'05, LNCS3786, SpringerVerlag, 2005
  22. 신문선, 문호성, 류근호, 장종수, '클러스터링기법을 이용한 침입탐지시스템의 경보상관관계분석', 정보처리학회 논문지C 제10-C권, 제6호, pp.665-674, 2003
  23. 신문선, 김은희, 문호성, 류근호, 김기영, '데이타마이닝기법을 이용한 경보 분석기구현', 정보과학회 논문지, 제31권, 제1호, pp.1-12, 2004