Beruflich Dokumente
Kultur Dokumente
983
continue sending IP-spoofed packets requesting new security parameters with statistical analysis of an attack
connections faster than the victim system can expire behavior. In fact, we combine both statistical and rule-
the pending connections. Ref [10] believes that typical based methods. This method of data correlation
Synflood attacks can vary several parameters: the processes the gathered statistical samples of security
number of SYN packets per source address sent in a parameters from attack sessions during train phase. In
batch, the delay between successive batches, and the addition to pre-existing knowledge, this method uses
mode of source address allocation. Ref [11] says that in statistical correlation to obtain some correlation values
some cases, the system may exhaust memory, crash, or for security parameters in attack behavior.
be rendered otherwise inoperative. We call this method as Statistical Rule-based
Correlation (SRC), which calculates correlation value
3. Data Correlation Methods between parameters in attack sessions using statistical
methods. A security parameter may vary in different
All the devices, whether aimed at prevention or observations. We can find correlation value between
detection, generate huge volumes of audit data. two parameters with different pairs of observation.
Firewalls and other devices logging network Calculation of correlation value between such
connection information are especially guilty of parameters gives us the magnitude of relation between
producing vast oceans of data. Many diverse data them.
formats and representations are used for those log files In random samples of statistical population, n
and audit trails. Also, a percentage of events generated observation of X and Y variables are represented by
by network IDS and IPS are false alarms and do not ( X i , Yi ) pairs, for i=1, 2,… n. These pairs have equal
map to real threats. Further confusing issue is that the bi-variable distribution and different pairs are
different devices might report on the same things independent of each other. A simple relation between
happening on the network, but in a different way, with X and Y creates some points around the straight
no apparent way of figureuring the truth of their regression line. We use Pearson correlation coefficient
relationship. There is a definite need for a consistent to determine the value of correlation between two
analysis framework to identify various threats, parameters:
prioritize them and learn their impact on the target n
system. ∑ (X
i =1
i − X )(Yi − Y )
(1)
Correlation is defined as relationships between r=
entities, however, a good Intrusion Detection-specific n
2
n
2
definition is lacking. From security point of view, ∑ ( X i − X ) ∑ (Yi − Y )
i =1 i =1
event correlation may be defined to improve the threat
identification and the assessment process by looking
not only at individual events, but also at their sets.
In which a ( X i , Yi ) pair is an observations of X and
Chuvakin in [12] asserts that security-specific Y random variables. X ,Y are mean values for X and Y
correlation can be loosely categorized as rule-based or respectively. r has a value in [-1, 1]. While r=1 means
statistical (algorithmic). that all points of ( X i , Yi ) pairs are on a straight line with
A rule-based correlation engine has some pre-
a positive slope. r=-1 means that all points of
existing knowledge of the attack (the rule), and it is
able to define what is actually detected in precise
( X i , Yi ) pairs are on a straight line with a negative
terms, base on that. Such attack knowledge is used to slope. When r approaches from these two values to
relate events and analyze them together in a common zero, the degree of correlation decreases; such that
context. Statistical correlation does not employ any there is no correlation in zero point.
pre-existing knowledge of the malicious activity, but
instead relies upon the knowledge (and recognition) of 3.1. Correlation Hypothesis Test
normal activities, which has been accumulated over
time. Ongoing events are then rated by a built-in The required solution for a problem might be
algorithm and may also be compared to the simplified into a choice between two competing
accumulated activity patterns, to distinguish normal hypothesis between which we have a choice, i.e., the
from abnormal (suspicious) behavior. This distinction null hypothesis, denoted by H0, against the alternative
among correlation types is somewhat similar to hypothesis, denoted by H1. The null hypothesis, H0, is
signature vs. anomaly IDS. a statement of a theory that has been put forward,
In this paper, we propose another data correlation either because it is believed to be true or because it is
method that calculates the correlation value between to be used as a basis for argument, but has not been
984
proved. The alternative hypothesis, H1, is a statement correlation coefficient between two parameters that are
of what a statistical hypothesis test is set up to calculated using (1), and its validity is examined by the
establish. hypothesis test. For example, CRG i× j represents the
We considered H0 as the null hypothesis about the
correlation coefficient r between all samples. Note that correlation value between i and j that the former
r is a random variable. We considered our H0 and H1 parameter is in the ith row and the latter one is in the
as: jth column.
We selected the entries that are greater than our
H 0 : ρ = ρ0 = 0 (2) defined threshold. Since the correlation coefficient is a
H1 : ρ ≠ ρ0(3) value in [-1, 1] and 0 ≤ r ≤ 1 , we intuitively
Where ρ is correlation coefficient of entire considered 0.5 as the appropriate threshold. It should
population and calculated by: be noted that the sign of r only shows the correlation
Cov ( X , Y ) direction.
ρ = Corr ( X , Y ) = (4)
σ XσY 4.2. CRG Construction Algorithm
The Rejection of the null hypothesis, suggests that
the alternative hypothesis may be true and r is valid. CRG is a graph for modeling a set of parameters
We can use a Confidence Value (CV) for rejecting H0. that make an Equivalence Class under the correlation
If P-value2 < (1 - CV), H0 is rejected with the relation. In fact, this graph is just a way to illustrate the
confidence value of CV. correlated parameters and analyzing the correlation
relations. There are some other ways to select
4. Correlation Relation Graph (CRG) correlated parameters such as factor analysis and
statistical clustering methods. CRG just helps the
4.1. Correlation Relation analyzer to get a graphical view of correlated
parameters and their relations. In this section we
Selecting the optimum security parameters from explain CRG construction algorithm to select
several available parameters is one of the major correlated parameters of each behavior. The related
problems of intrusion detection systems. An expert that parameters have three properties in an equivalence set,
selects these parameters for intrusion detection engine i.e.:
and gives them to the system analyzer faces some • Reflexive
challenges. One of them is determining the parameters • Symmetric
which present more effective statistical information to • Transitive
a system analyzer. The CRG construction algorithm is defined as
We examined security parameters that are follows:
correlated such that the value of their correlation 1. Each member is a CRG.
coefficient is more than threshold level introduced by 2. To add a new member to CRG two bellow
an expert. Hence, the parameters that haven’t this conditions should be satisfied:
condition are not considered for examination. a) Correlation coefficient of new member
Ref [14] introduces a set of DoS attack traffic that is with all of the previous equivalence
used for Intrusion Detection Evaluation. We select set members should be greater than the
only ten percent of all Neptune sessions of KDD threshold value.
Cup99 dataset for our statistical analysis. Each session b) The null hypothesis ( H 0 : ρ = 0 )
of KDD Cup99 dataset, either attack or normal, affects should be rejected for all of the
on 41 introduced security parameters. We calculated correlation coefficient of CRG.
the correlation coefficient between these parameters, When a new parameter is added to an equivalence
and finally introduced some of them as optimum class, it satisfies all of the above mentioned properties.
parameters for intrusion detection. Note that, each variable is correlated with itself; hence
Parameters that have required correlation value and
all of the security parameters satisfy the reflexive
participate in CRG are effective security parameters in
property. It is clear by the definition that correlation
our intrusion detection system. The first step for
relation is a symmetric relation between two
constructing CRG is to create correlation matrix of
parameters. It also remains to show that CRG has the
security parameters. Each entry of this matrix is the
third property to be an equivalence class. As each new
member should be correlated with all of the previous
2 P-value is a statistic. For more details See [13].
985
members of an equivalence class, the third property is
also satisfied.
Note that there is no necessity for the “b” condition
in values that are greater than threshold, as H0
hypothesis is rejected for high values. In practice, we
used this condition for members that have suitable
correlation with the other parameters, except one of
them. In this case if H0 was rejected but there was a
justification from an expert analyzer’s point of view, it
could be added to CRG. If a new member has a weak
correlation at least with one of CRG members, we
can’t join it to CRG because of violating equivalence
class.
986
another CRG there are 28 regression equation and
confidence interval.
We examine KDD sessions to evaluate the
operation of this method. We used 107201 sessions for
statistical analysis that resulted to two CRG such as
CRGs represented in previous sections. First, we
examined 494021 KDD sessions (10 percent of all)
with only 3-node CRG. Then these sessions evaluated
Figure 4. CRG of 11 Parameters in Normal with 8-node CRG and we used both CRGs to detect
Sessions SynFlood attacks finally. Table III shows the results of
this approach on these 494021 sessions.
We also examine completed KDD file that it has
Table. 2. Correlation Matrix of Parameters in 4898431 sessions. Table IV shows the results of
Normal Traffic evaluating all of sessions with three sets: 3N.CRG,
8N.CRG and both of them.
987
alerts [2][3]. These systems only determine the relation can be performed every day or week (depending on
and correlation between alerts generated by IDS’s attacks and their modification rates). The second stage
sensors, and need to be monitored by an expert. In requires a short time to compare each event and its
these systems a new method of attack can not be parameters with regression relations. This is the main
detected because it depends on alerts generated by operation in detection engine. In fact, the former
IDS’s. We introduced a method that depends on operation that requires a long time operation never
statistical reports and any change in attack method is decreases the detection speed, as the analyzer can run it
detected. We used correlation coefficient to select in an off-line mode. If the CRGs of a behavior changed
effective parameters that have suitable correlation and in a time between two former type operations, the
can create CRGs. We intuitively considered 0.5 as the analyzer would just updates the regression relations.
appropriate threshold. For lower values we’ll have Please also notice that we have not claimed about
CRGs with more nodes and weaker links that can the speed up of this method comparing with other
increase false alarms. methods. But we have proposed an approach that helps
Then we calculated regression equation for each in reducing the number of parameters involved in
link. Each regression equation has a confidence intrusion detection and help in automating the selection
distance that formulates based on errors of each pairs of effective parameters.
with their regression equation. Finally we detected
Synflood attack sessions with calculating the deviation 8. References
of each pairs from their regression equation. Note that
if attacker changes his way of attack, these CRGs will [1] Christopher Kruegel, Fredrik Valeur, Govanni Vigna,
change and our IDS works with new CRGs. Intrusion Detection and Correlation: Challenges and
The results show that all of CRGs are not useful for Solutions, Springer (2005)
detection engine. The first CRG, that have only 3
nodes and its links are not heavy, gives more false [2] T. Chyssler, S. Nadjm-Tehrani, “Alarm Reduction and
alarms because its regression equations have greater Correlation in Defence of IP Networks”, Proceedings of the
13th International Workshops on Enabling Technologies
confidence intervals, and some normal sessions fall on (WETICE04), IEEE Computer Society, June (2004), pp. 229-
its region. The second CRG shows better results 234
because it has more nodes and they have full
correlation. If we use both CRGs, however the [3] T. Chyssler, S. Burschka, “Alarm Reduction and
detection rate decreases a little but false alarms also Correlation in Intrusion Detection Systems”, Proceedings of
decrease. Detection of Intrusions and Malware & Vulnarability
Our IDS only looks at correlated parameters and Assessment workshop (DIMVA), Gesellschaft f r Informatik,
never examine non-correlated parameters. For June (2004), pp. 9-24
example, the Synflood attacks use TCP protocol and
[4] U. Zurutuza and R. Uribeetxeberria, “Intrusion
one of the 41 parameters of KDD dataset is “protocol”. Detection Alarm Correlation: A Survey”, Proceedings of the
If this parameter existed in the CRGs formed for IADAT International Conference on Telecommunications
Synflood attack, it would be examined. If an ICMP and Computer Networks, 1-3 December, 2004
session creates one of the CRGs like these, it might
report an attack session, which increases the false [5] P.Ning, Y.Cui, and D.S.Reeves. “Constructing attack
alarms. But we could check its “protocol” parameter scenarios through correlation of intrusion alerts”, Proceeding
and ignore it. We can reduce false positives by looking of the 9th ACM Conference on Computer & Communications
at specific parameters of each alarm. Security, pages 245–254, Nov. 2002.
In fact, our IDS does not need an expert to select
[6] D. Xu, P. Ning, “Alert Correlation through Triggering
security parameters, although expert defined Events and Common Resources”, 20th Annual Computer
parameters maybe useful for detection. Thus we have Security Applications Conference, December 2004
proposed an unsupervised method to select effective
parameters. This system can work without any expert [7] Valdés, A., and Skinner, K., “Probabilistic Alert
network analyzer, so it can be modified for any new Correlation”, Proceedings of the 4th International
attack behavior. For each new unknown attack, we Symposium on Recent Advances in Intrusion detection
only need to select correlated parameters and their (RAID), Springer Verlang, California, USA, 2001, pp. 54-68
regression relation.
There are two main stages in using our data [8] Carl Endorf, Eugene Schult, Jim Mellander, Intrusion
Detection & Prevention, McGraw-Hill, (2004)
correlation based IDSs. The first stage requires relative
long time to analyze a behavior to find useful
parameters and their correlation relations. This stage
988
[9] Amin Hassanzadeh, Babak Sadeghian, “Anomaly
Intrusion Detection with Data Correlation Relation Graph”, [12] Anton Chuvakin, “Event Correlation in Security”,
Proceeding of the 11th International CSI Computer whitepaper, www.securitydocs.com, May (2004)
Conference (CSICC' 2006), Tehran, Iran, Jan. 24-26, 2006
[In Persian] [13] T. T.Soong, Fundamentals of Probability and Statistics
[10] Christopher L. Schuba, Ivan V. Krsul,et al., “Analysis of for Engineers, John Wiley and Sons Ltd, (2004)
a denial of service attack on TCP”, IEEE Computer Society
Press, May (2000) [14] Http: // kdd.ics.uci.edu / databases / kddcup99 /
task.html
[11] J.W.Haines, R.P.Lippmann, et al., “1999 DARPA
Intrusion Detection Evaluation: Design and Procedures”,
Technical report 1062, Lincoln Laboratory, MIT university,
26 February (2001)
989