Intrusion Detection: Eliminating False Alarms

Similar documents
An Alarm Correlation Algorithm for Network Management Based on Root Cause Analysis

Identification of Aberrant Railroad Wayside WILD and THD Detectors: Using Industry-wide Railroad Data. June 10, 2014

Intrusion Detection System: Facts, Challenges and Futures. By Gina Tjhai 13 th March 2007 Network Research Group

Applied Data Science: Using Machine Learning for Alarm Verification

Kimberly Rollins, Professor, Department of Economics, University of Nevada, Reno

To appear in the IEEE/IFIP 1996 Network Operations and Management. Symposium (NOMS'96), Kyoto, Japan, April TASA: Telecommunication

Monitor Alarms and Events

Rt 29 Solutions Hydraulic Planning Advisory Panel. September 14, 2017

2018 thesimple, Inc.

Continuous Commissioning: A Valuable Partner to Retrofit Projects

MASTER PLAN KICK-OFF Open House #1A, April 28, 2015

New Westminster Downtown Parking Strategy Public Open House #1 September 13, 2012

Residential Structure Match or Lighter Ignited Fires

STATION RISK PROFILE 2018 EWYAS HAROLD

Monitor Alarms and Events

Index. Premises Information 2 About This Log Book 3 Service and Maintenance Requirements 4 8. Fire Risk Assessments 9

Artificial Intelligence Enables a Network Revolution

Managing Network Alarms and Events

FCD-wire Contents. List of Figures

Sivu 2/8 Rate data Description Suomi Shut off times total 0.0 h/day Weekends with shut off times yes Daytime rate of heat pump Time for daytime rate 5

Chapter 1 Introduction

Microirrigation of Young Blueberries in Florida 1

2010 Fire Log Fire Log. Annual Fire Safety Report

Analogue to Digital Telecare. Technical Advisory Board. 21 st June 2017 Work Stream 3 Procurement

4/8/2015 Item #10D Page 1

A New Plan For The Calgary Region June calgary.ca call 3-1-1

Acknowledgement: Ralph Prahl, Prahl & Associates, contributed critical review and analysis

Better Buildings By Design 2013 Building the Renewable Energy Ready Home Solar Thermal Lessons Learned and Results

edmonton.ca/ribbonofgreen #ribbonofgreen

Southeast Extension to RidgeGate Parkway Scoping Booklet

COMMUNITY OPEN HOUSE. March 28, 2012

Westinghouse UK AP1000 GENERIC DESIGN ASSESSMENT Resolution Plan for GI-AP1000-IH-01 Internal Fire Safety Case Substantiation.

SOUTHEND CARELINE ANNUAL REPORT

Topic: Alarm Reduction and Correlation in IDS

PAY-TV DIRECT INSTALL OF TRUE NILM. NEEA EULR Working Group Meeting

Dehumidification: Energy Efficiency Comparisons

Planning Guide EnviroAlert Monitoring Systems

Equipment ATA 12 April 2016

Rt 29 Solutions Hydraulic Planning Advisory Panel. September 28, 2017

The Effects of Woody Vegetation on Levees

USER S INFORMATION MANUAL

Flood Monitoring and Early Warning System Using Ultrasonic Sensor

Getting Started with Live Exceptions

Fisher Slough Tidal Marsh Restoration Project Scaling Down the Restoration Planning & Analysis Framework to Evaluate Project Alternatives

Person Detection Techniques for an Internet of Things(IoT)-Based Emergency Evacuation System

Historic Yonge Street HCD Plan Community Consultation October 14, 2015

Biosolids Dewatering, Monitoring, and Disposal Programs

Assessment of Domestic Evacuated Tube. Direct Solar Water Heater

Customer Feedback Summary

Certification Report of the ST 3000 Pressure Transmitter with HART 6

Force Protection Joint Experiment (FPJE) Battlefield Anti-Intrusion System (BAIS) Sensors Data Analysis and Filtering Metrics

Moving to the Cloud: The Potential of Hosted Central Station Services

Streets, Connectivity & Built Environment Working Group August 2, 2017

The quest for acid-tolerant lucerne

Boulder County Comprehensive Drilling Plan Surface Owner Meeting. Thursday, Oct. 19, 2017

STATION RISK PROFILE 2018 BROMYARD

SIMS Discover and SIMS FFT Estimates. Chris Sherwood

LAKE JOHANNA FIRE DEPARTMENT

URBAN DESIGN LONDON TRAINING PROGRAMME UDL are pleased to present our programme for April 2013 to March 2014.

HARDWIRED CONTROL PANELS

Smart Combiners Installation Guide. For Obvius A89DC-08 sensor modules

Customer Feedback Summary

Generation gap: How baby boomers and millennials stack up in their perceived and actual electricity use. Report. March 2019 BCH19-217

INEEL (1500) [45] 5.6 C 217 mm 60. Precipitation (mm) Temperature (oc) Month

TOWN OF NEW CASTLE - Master Plan Update

Heat Consumption Assessment of the Domestic Hot Water Systems in the Apartment Buildings

Oracle Real Application Clusters (RAC) 12c Release 2 What s Next?

Hot Water a Hot Commodity Better Buildings by Design, February 2012 Burlington, VT

Presented by: Theuns van der Linde

Emerging Technology Program

Security Alarm System

Fire Risks of Loviisa NPP During Shutdown States

STRIPEYFISH. Utilities for VMware Series. sfvalarms User Guide

Boulder County Comprehensive Drilling Plan Surface Owner Meeting. Thursday, Nov. 2, 2017

Food Control Plans or National Programmes Cold Hold Records 2019

Town of Oakville Streetscape Strategy

Lowe's Companies Inc (LOW) - Financial and Strategic SWOT Analysis Review

STATION RISK PROFILE 2018 MALVERN

Thermal equalization is the obvious answer to the situation. But, how is "thermal equalization" achieved?

Abstract. Cuvinte cheie: caisa, radacina, profil de sol Keywords: apricot, root, cavity. 1. Introduction

Strategies for Summer Utility Savings. Residential Environmental Program Series May 15, 2013

Alarm Management Plan

GOODY CLANCY WITH KITTELSON & ASSOCIATES RHODESIDE & HARWELL FARR ASSOCIATES W-ZHA

Mechanical System Redesign. Dedicated Outdoor Air System. Design Criteria

Regional Open Space Conservation Plan. Regional Staff Committee January 18, 2018

Port of San Diego Sea Level Rise Ad Hoc Committee Meeting 1 of 3.. September 18, 2018

Batt-Safe Battery String Monitoring System

South Lyon Fire Department 2012 Annual Report

Functional Safety: the Next Edition of IEC 61511

COST REDUCTION BY REPLACING STEAM WITH COKE OVEN GAS FOR HOT AIR DRYER UNIT IN THE ELECTROLYTE CLEANING LINE

WHEAT DEVELOPMENT AND GROWTH

ArchestrA Direct Connect

The investigation of accidents and incidents in complex railway tunnel systems

environmental factors, population occupancy on fire incidents a case study of South-West Division of Delhi, India

CHART PERUVIAN TECHNICAL STANDARDS

Copyright 2003 IBACOS, Inc. All rights reserved.

Unified Development Code (UDC) Revision

Tri-County Transportation & Land Use Study. Steering Committee Meeting May 14, 2009

Itron Water Loss Management Solutions. Advanced Digital Leak Detection Overview Session

Auburn University Basketball Arena:

Transcription:

Intrusion Detection: Eliminating False Alarms MAFTIA Final Review Andreas Wespi 18/19 February 2003 Newcastle

Overview! MAFTIA and Intrusion Detection! Eliminating False Alarms! Demonstrator of an Intrusion-Tolerant IDS 2

MAFTIA and Intrusion Detection 3

Objectives! We are interested in finding solutions to the well-known problem of the high rate of false positive and false negative alarms generated by current IDSs. Intrusion Detection " MAFTIA! These false alarms can also be due to attacks against the IDSs themselves, therefore the need to design IDSs which are intrusiontolerant. MAFTIA " Intrusion Detection 4

Three main contributions by WP3! False negatives! Method to increase detection coverage by effectively combining IDSs based on a taxonomy, a framework and a tool for analyzing the strengths and weaknesses of IDSs (D3, D10)! False positives! Method and tool to discard false alarms by mining alarm clusters (D10)! Attacks against the IDS itself! Methods and techniques to make an IDS intrusion-tolerant by taking advantage of, among others, techniques developed within other MAFTIA work packages (D10, D13) 5

Links to other work packages! Vision: Intrusion detection is a large scale distributed application! The ultimate goal, a distributed intrusion-tolerant IDS, requires components developed by other MAFTIA work packages, especially WP2 and WP4! WP3 focuses on the ID issues, a prerequisite to ensure certain assumptions made within other work packages! WP1 provides the underlying foundations for the taxonomy we have developed to assess the detection capabilities of IDSs 6

MAFTIA and Intrusion Detection service service user user System security officer (SSO) service insecurity signal intruder alert external sensor internal sensor event reports error reports a posteriori error detection masking intrusion-tolerance API error detection recovery detection/recovery intrusion-tolerance event analysis fault diagnosis (inc. intrusions, attacks and vulnerabilities) fault isolation (inc. intrusions, attacks and vulnerabilities) system reconfiguration component or (sub-)system service Error processing insecurity signal Fault treatment security administration (sub-)system (from possible lower level) 7

Eliminating False Alarms Klaus Julisch 8

Problem statement! Intrusion-detection systems (IDSs)! monitor and analyze network traffic or event logs,! trigger alarms when signs of attacks occur, and! have an operator evaluate and respond to alarms. Sample alarm 10.11.34.2 3319 123 10.11.1.1 80 13:45 http://..cgi? Source-IP Src-Port Alarm-id Dst-IP Dst-Port Time Context! Practical problems of IDSs include:! 1000s of alarms per day and false alarm rates above 95%;! Corollaries:! Manually finding the true attacks is expensive & error prone.! Tools are needed that automate alarm evaluation! 9

A similar problem statement How to find a needle in a haystack? 10

Our approach! Idea: Learn from the past to master the future.! Mine patterns from historical IDS alarms.! Understand why patterns occurred (i.e. identify alarm root causes).! Act to reduce the future alarm load (e.g. fix, block, filter,...). Alarm warehouse Data mining Note 1: Patterns are assumed to be persistent. Internet IDS Fix root causes / install filtering or correlation rules Interpret patterns / gain insights Patterns 1.A.B*C 2.UV.W.*R 3.U*N*U Patterns Note 2: Mining is off-lineand uses historical alarms! 11

Comparison to the classic" alarm handling approach IDS alarms Alarm correlation alarm groups Operator Alarm correlation tries to group alarms that pertain to the same phenomenon.! Alarm correlation versus mining of actionable knowledge! Real-time (& resource constraint) versus off-line.! Reconstructing attack scenarios versus finding persistent and mostly benign patterns.! Generic versus custom-made (i.e. site- & IDS specific). 12

Data mining technique requirements! To be of value in our framework, a prospective data mining (DM) technique should be:! Scalable to up to several millions of alarms.! Noise tolerant (alarms can come "out of the blue").! Multi attribute type (categorical, numerical, time, string,...).! Easy to use for non-dm experts.! Yielding interpretable & relevant patterns.! Key question: Which DM techniques qualify?! We investigate the suitability of episode rules and conceptual clustering. 13

Episode rules! Episode rules predict the occurrence of certain alarms based on the occurrence of other alarms: <A1,..., Ak> <Ak+1,..., An> [supp, conf, window-width]! Useful episode rules we found:! Attack tools, IDS idiosyncrasies, system administration tasks! Problems encountered:! Abundance of episode rules generated.! Difficulty to interpret episode rules.! Weak predictiveness, alarm reduction of only about 1 %.! Conclusion: Episode rules do not solve our problem. 14

Conceptual clustering! Clustering organizes a data set into groups of similar objects.! In conceptual clustering, objects are similar iff they possess a "simple" intentional description in some language (e.g. predicate calculus).! Example cluster: Name Sex Age Job Bob male 41 chemist Jim male 57 physicist Chuck male 44 astronomer Ted male 52 chemist Advantages: Understandability and support for categorical attributes. Intentional description: {x (x is male) (x is over 40) (x is scientist)} 15

Attribute-Oriented Induction (AOI)! Attribute-Oriented Induction (AOI)! summarizes relational database tables! by repetitively replacing attribute values by more abstract ones,! which are taken from user-defined generalization hierarchies. Original table Src-IP Dest-IP Count ip1 ip3 1 ip1 ip4 1 ip2 ip4 1 My-IPs Any-IP... After generalization step Src-IP Dest-IP Count ip1 DNS 1 ip1 DNS 1 ip2 DNS 1 WWW DNS ip1 ip2 ip3 ip4 16

Attribute-Oriented Induction (AOI)! Merge identical tuples and update their counts: After generalization step Src-IP Dest-IP Count ip1 DNS 1 ip1 DNS 1 ip2 DNS 1 After merging Src-IP Dest-IP Count ip1 DNS 2 ip2 DNS 1! AOI terminates when each attribute assumes at most di distinct values.! The di, i=1,..., n, are user-provided.! Example: Be dsrc-ip = ddest-ip = 1 then terminate after generalizing Src-IP. Final result: (WWW, DNS, 3) WWW My-IPs Any-IP... DNS ip1 ip2 ip3 ip4 17

Algorithm Input : Alarm table T, Hierarchies H[i]; Output: Alarm clusters represented by generalized alarms; 1. for all alarms a in T do a.c := 1; // Init counts 2. while table T is not abstract enough do { 3. Select an alarm attribute A[i]; 4. for all alarms a in T do // Generalize A[i] 5. a.a[i] := parent of a.a[i] in H[i]; 6. while identical alarms a, a exist do // Merge 7. Set a.c := a.c + a.c and delete a from T; 8. } 18

Applying AOI to IDS alarms! Problem: IDS alarms are skewed and noisy, which leads to overgeneralization! Typical IDS alarm log Src-IP Dest-IP Count ip1 ip4 1000 ip1 ipa1 1 ip1 ipb1 1......... ip1 ipz1 1 } } main signal 26 noise alarms WWW ip1 My-IPs ip2 Any-IP DNS ip3 ip4 External-IPs Net-A ipa1... Net-Z ipz1... Dest-IP is generalized twice if ddest-ip < 27: ip1 My-IPs 1000 ip1 External-IPs 26 Over-generalized! 19

Modifications to classic AOI! Modification 1:! Abandon the di thresholds for the number of different attribute values.! Introduce min_size N, and generalize until a cluster C has a count bigger than min_size (i.e. C.count > min_size).! Modification 2:! Remove clusters of a size larger than min_size and! reset the remaining alarms (i.e. undo all generalization steps).! Modification 3:! Use heuristics to select a suitable attribute for generalization. 20

Sample result of modified AOI Concepts like "External-IPs" come from the hierarchies! Cluster of size 50573 alarms: Alarm Name: SrcIP/SrcPort: DstIP/DstPort: Context: Time Structure: IIS View ASP Source Attack External-IPs / Non-Privileged 10.8.17.* / 80 Get /cgi/s?action=...www%2euva%2e... weekdays 21

Experimental evaluation! All experiments use real-world data.! Experimental setup:! Choose an IDS X and month m.! Cluster the alarms that IDS X triggered in month m.! Interpret the clusters obtained.! Manually derive filtering rules for the alarms in the clusters.! Evaluate the filtering rules on the alarms of IDS X in month m+1.! Measure the alarm load reduction.! Two sets of experiments:! Fixed month, varying IDS.! Fixed IDS, varying month. 22

Alarm load reduction per IDS in December 2001 Alarm Load Reduction [%] 100 90 80 70 60 50 40 30 20 10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 IDS 23

Alarm load reduction over the year 2001 for IDS 8 Alarm Load Reduction [%] 100 90 80 70 60 50 40 30 20 10 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Month Temporary networking problem! 24

Summary! Problem: IDSs tend to generate a flood of mostly false alarms.! Suggested solution: Mine, understand, act.! Episode rules: Expensive to use, minor alarm reduction.! Conceptual clustering: Well-suited in our framework.! More abstractly, we have shown that:! IDS alarms have a pronounced and persistent structure.! Data mining can be used to reveal this structure.! Knowledge of this structure is actionable, i.e., can be used to handle future alarms more efficiently. 25

Dissemination! Publications at RAID 2000/2001, ACSAC 2001, ACM CCS 2001, KDD 2002! Technology deployed by IBM's Managed Security Services organization! In plan for next release of IBM Tivoli Risk Manager 26

27

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback