کاهش هشدارهای سامانه‌های تشخیص نفوذ به کمک تعمیم ویژگی‌های حملات در حوزه داده‌کاوی چندبعدی

نوع مقاله : کامپیوتر - داده کاوی

نویسندگان

1 دانشگاه آیت ا...بروجردی

2 هیات علمی

چکیده

امروزه حجم حملات پیشرفته سایبری در حال افزایش است، لذا استفاده از سامانه­های تشخیص نفوذ در شبکه­ها امری اجتناب­ناپذیر است. یکی از مشکلات عمده در استفاده این سامانه­ها حجم زیاد هشدارهای تولیدشده سطح پایین است. در این مقاله یکی از روش‌های حوزه داده‌کاوی به نام استنتاج ویژگی محور، استفاده ‌شده است. اساس این روش تعمیم داده­های سطح پایین به مفاهیم سطح بالاست. با توسعه این راهبرد در حوزه حملات سایبری، حجم هشدارهای حسگرهای تشخیص نفوذ کاهش داده ‌شده است. این کاهش نه‌تنها باعث اختلال در شناسایی حملات نمی­شود بلکه با تمرکز بیشتر در ویژگی‌های  مشترک حملات باعث افزایش دقت در تشخیص حملات خواهد شد. همچنین یکی از پایه­های اساسی این روش، سلسله‌مراتب تعمیم است که برای ویژگی‌های مؤثر در حملات طراحی شده است. از نکات بارز دیگر این مقاله، ارائه یک روش شهودی مناسب در انتخاب ویژگی‌ها برای تعمیم است. برای ارزیابی روش پیشنهادی از مجموعه داده­ جدید CICIDS2017 استفاده شده است که کاستی‌های مجموعه داده‌های قبل خود را مرتفع نموده است. نتایج بیانگر کاهش هشدارها با نرخ 99 درصد در پایین‌ترین سطح تعمیم و میانگین 25 % در سطوح دیگر تعمیم است. در کنار ترافیک نرمال 14 نوع حمله مختلف شناسایی ‌شده است که حمله Dos Hulk با فراوانی 8.16% بیشترین فراوانی و حمله­ Heartbleed با فراوانی 0004/0% کمترین فراوانی را دارا بوده­اند. از دیگر قابلیت‌های ارائه‌شده در روش پیشنهادی، امکان عملیات پردازش تحلیلی برخط و داده­کاوی چندبعدی در فضای حملات سایبری به کمک حرکت در سطوح مختلف تعمیم است.

کلیدواژه‌ها

موضوعات


عنوان مقاله [English]

The Reduction of Intrusion Detection Systems Alerts by Generalizing Attack Features in Multidimensional Data Mining Domain

نویسندگان [English]

  • mahdi maleki 1
  • mohammad lotfi 2
1 هیات علمی
2 Faculty
چکیده [English]

The volume of advanced cyber attacks is increasing today; hence the use of intrusion detection systems in networks is inevitable. One of the major problems by using these systems are considered as the high volume of low-level alarms produced. In the present paper, one of the data mining techniques called Attribute-Oriented Induction is utilized. The basis of this approach is to generalize low-level data to high-level concepts. By the development of this strategy in the field of cyber attacks, the volume of intrusion detection alarms has been decreased. This reduction not only disrupts the detection of attacks but by more focusing on the common features of the attacks, it will increase the accuracy of detection. Moreover, one of the basic foundations of this method is a generalized hierarchy designed for effective attack features. Another highlight of this investigation is to provide an intuitive approach to selecting features for generalization. The new CICIDS2017 data set was employed to evaluate the proposed method, which overcame the shortcomings of its previous data set. In conclusion, the results show a 99% decrease in alarms at the lowest generalization level and an average of 25% at the other generalization levels. In addition to the normal traffic, 14 different attack types were identified, with the Dos Hulk attack being the most frequent with 8.16% and the Heartbleed attack having the lowest frequency 0.0004%. Other capabilities were offered in the proposed method include the possibility of online analytical processing and multidimensional data mining in cyber attack space by moving at different levels of generalization..

کلیدواژه‌ها [English]

  • Intrusion Detection System
  • Feature Generalization
  • Multidimensional Data Mining
  • OLAP
  • Multistage Attacks
[1]     Emmanouil, V.; Shankar, K.; Max, M.; Mathias, F. “Taxonomy and Survey of Collaborative Intrusion Detection”; ACM Computing Surveys (CSUR) 4, 2015.##
[2]     Min, C.; Kai, H.; Yu-Kwong, K.; Shanshan, S.; Yu, C.  “Collaborative Internet Worm Containment”; IEEE Security & Privacy 3, 2005.##
[3]     Carlos, G., C.; Sascha, H.; Max, M.; Mathias, F. “Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks”; In Annual Conference on Privacy, Security and Trust (PST), 2016.##
[4]     Onwubiko, C. “Situational Awareness in Computer Network Defense: Principles, Methods and Applications “; IGI Global, 2012.##
[5]     Estan, C; Savage, S; Varghese, G. “Automatically Iinferring Patterns of Resource Consumption in Network Traffic”; In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications (SIGCOMM), 2003.##
[6]     Locasto, M.; Parekh, J.; Keromytis, A.; Stolfo, S.  “Towards Collaborative Security and P2P Intrusion Detection”; In: Proceedings of the IEEE workshop on information assurance and security, 2005.##
[7]     Najafi, M.; Rafeh, R. “A New Light Weight Intrusion Detection Algorithm for Computer Networks”; Advanced Defence Sci. & Tech. 2016, 8, 191-200 (In Persian).##
[8]     Steffen, H.; Mathias, F. “GAC: Graph-Based Alert Correlation for the Detection of Distributed Multi-Step Attacks”; In ACM/SIGAPP Symposium On Applied Computing (SAC), 2018.##
[9]     Chenfeng, V. Z.; Christopher L.; Shanika, K. “Decentralized Multi-dimensional Alert Correlation for Collaborative Iintrusion Detection”, Volume 32, Issue 5, September 2009.##
[10]  Han, J.; Micheline, K.; Jian, P. “Data Mining Concepts and Techniques”; the Morgan Kaufmann Series in Data Management Systems, 2011.##
[11]  Beneditto, M. “Using Concept Hierarchies in Knowledge Discovery”. Lecture Notes in Computer Science, 2004.##
[12]  Han, J.;  Fu, Y. “Exploration of the Power of Attribute-Oriented Induction in Data Mining”; in U. Fayyad, G. Piatetsky-Shapiro, P. Smyth and R. Uthurusamy, eds. Advances in Knowledge Discovery and Data Mining, 399-421, 1995.##
[13]  Han, J.; Cai, Y.; Cercone, N. “Knowledge Discovery in Databases: an Attribute-oriented Approach”; In Proceedings of the 18th International Conference on Very Large Data Bases, 547-559, 1992.##
[14]  Meo, R.; Psaila, G.; Ceri, S. “An Extension to SQL for Mining Association Rules”; In Proceedings of Data Mining and Knowledge Discovery; 1998, 2,195-224.##
[15]  Muyeba, M.; Marnadapali, R. “A framework for Post-Rule Mining of Distributed Rules Bases”; In Proceeding of Intelligent Systems and Control; 2005.##
[16]  Elfeky, M.G.; Saad, A.; Fouad, S.A. “ODMQL: Object Data Mining Query Language”; In Proceedings of the International Symposium on Objects and Databases, 2000, 128-140.##
[17]  Cheung, D.W.; Hwang, H.; Fu, A.W. “Efficient Rule-Based Attribute-Oriented Induction for Data Mining”; Journal of Intelligent Information Systems, 2000, 15, 175–200.##
[18]  Cai, Y.; Cercone, N.; Han, J. “An attribute-oriented Approach for Learning Classification Rules from Relational Databases”; InProceedings. Sixth International Conference on Data Engineering IEEE, 1990, 281-288.##
[19]  WU, X.; XIE, L. “Attribute-oriented Induction and Conceptual Clustering”; Computer Engineering, Beijing, 2003, 92-99.##
[20]  Warnars, H. “Using Attribute Oriented Induction High level Emerging Pattern (AOI-HEP) to mine frequent patterns”; International Journal of Electrical and Computer Engineering (IJECE). 2016 Dec, 3037-46.##
[21]  Chenfeng, V. Z.; Christopher, L.; Shanika, K. “a Survey of Coordinated Attacks and Collaborative Intrusion Detection”; Computers & Security, 2010.##
[22]  Estan, C.; Savage, S.; Varghese, G.”Automatically Inferring Patterns of Resource Consumption in Network Traffic”; In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications (SIGCOMM), 2003. 137–48.##
[23]  Haas, S.; Florian, W.; Mathias, F. "Efficient Attack Correlation and Identification of Attack Scenarios based on Network-Motifs." arXiv preprint arXiv: 1905.06685, 2019.##
[24]  ICS-CERT Advisories, Information about Current Security issues, Vulnerabilities, and Exploits. Available: https://www.us-cert.gov/ics/advisories, 2019.##
[25]  The National Institute of Standards and Technology (NIST) ,National Vulnerability Database, Available: https://nvd.nist.gov/vuln, 2019.##
[26]  Internet Storm Center, DShield.org. Available: http://www.dshield.orgi, 2019.##
[27]  Hu, Y.; Chiu, D.; Lui, J. “Adaptive Flow Aggregation—a New Solution for Robust Flow Monitoring under Security Attacks”; In: Proceedings of the 10th IEEE/IFIP network operations and management symposium (NOMS); 2006,  424–35.##
[28]  Taheri, R.; Parsaei, M.; Javidan, R. “Real-Time Intrusion Detection System Using a Combination of Discretization and Feature Selection”; Advanced Defence Sci. & Tech. 2017, 8, 251-263 (In Persian).##
[29]  Sharafaldin, I.; Habibi, A.; Lashkari; Ghorbani, A.  “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization”, 4th International Conference on Information Systems Security and Privacy (ICISSP), Portugal, January 2018.##
[30]  Thomas, C.; Vishwas, S.; Balakrishnan N. "Usefulness of DARPA Aataset for Intrusion Detection System Evaluation"; Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2008. Vol. 6973. International Society for Optics and Photonics, 2008.
[31]  Cup, K. D. D. "Intrusion Detection Data Set." The UCI KDD Archive Information and Computer Science University of California, Irvine. DOI= http://kdd. ics. uci.Edu/databases/kddcup99, 1999.
[32]  Cowan, C. "Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack"; Proceedings DARPA Information Survivability Conference and Exposition, IEEE, 2003, 1.
[33]  CAIDA: Center for Applied Internet Data Analysis, Available: https://www.caida.org, 2019.
[35]  McKinney, W. "Pandas: a Foundational Python Library for Data Analysis and Statistics. "Python for High Performance and Scientific Computing 14.9, 2011.
Anytree 2.7.3 Documentation, Available: https://anytree.readthedocs.io/en/latest/intro.html, 2019.