Using Vulnerability to Reduce False Positive Rate in Intrusion Detection Systems

Intrusion Detection Systems are an essential tool for
network security infrastructure. However, IDSs have a serious
problem which is the generating of massive number of alerts, most of
them are false positive ones which can hide true alerts and make the
analyst confused to analyze the right alerts for report the true attacks.
The purpose behind this paper is to present a formalism model to
perform correlation engine by the reduction of false positive alerts
basing on vulnerability contextual information. For that, we propose
a formalism model based on non-monotonic JClassicδє description
logic augmented with a default (δ) and an exception (є) operator that
allows a dynamic inference according to contextual information.

Authors:

• Nadjah Chergui
• Narhimene Boustia

Keywords:

• Context
• exception
• default
• IDS
• Non-monotonic Description Logic JClassicδє
• vulnerability.

References:

[1] S. Axelsson, “Intrusion detection systems: A survey and taxonomy,”
Technical report Chalmers University of Technology, Goteborg, Sweden,
Tech. Rep., 2000.
[2] T. H. Nguyen, J. Luo, and H. W. Njogu, “Improving the management of
ids alerts,” International Journal of Security and Its Applications, vol. 8,
no. 3, pp. 393–406, 2014.
[3] G. J. Victor, M. S. Rao, and V. C. Venkaiah, “Intrusion detection
systems-analysis and containment of false positives alerts,” Int. J.
Comput. Appl, vol. 5, no. 8, pp. 27–33, 2010.
[4] G. C. Tjhai, M. Papadaki, S. Furnell, and N. L. Clarke, “Investigating
the problem of ids false alarms: An experimental study using snort,” in
Proceedings of the IFIP TC 11 23rd International Information Security
Conference. Springer, 2008, pp. 253–267.
[5] S. Benferhat, T. Kenaza, and A. Mokhtari, “A naive bayes approach for
detecting coordinated attacks,” in Computer Software and Applications,
2008. COMPSAC’08. 32nd Annual IEEE International. IEEE, 2008,
pp. 704–709.
[6] P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack scenarios
through correlation of intrusion alerts,” in Proceedings of the 9th ACM
conference on Computer and communications security. ACM, 2002,
pp. 245–254.
[7] H. Debar and A. Wespi, “Aggregation and correlation of
intrusion-detection alerts,” in Recent Advances in Intrusion Detection.
Springer, 2001, pp. 85–103.
[8] A. B. Mohamed, N. B. Idris, and B. Shanmugum, “Alert correlation
using a novel clustering approach,” in Communication Systems and
Network Technologies (CSNT), 2012 International Conference on.
IEEE, 2012, pp. 720–725.
[9] A. Valdes and K. Skinner, “Probabilistic alert correlation,” in Recent
advances in intrusion detection. Springer, 2001, pp. 54–68.
[10] B. Morin, L. M´e, H. Debar, and M. Ducass´e, “A logic-based model
to support alert correlation in intrusion detection,” Information Fusion,
vol. 10, no. 4, pp. 285–299, 2009.
[11] F. Massicotte, M. Couture, Y. Labiche, and L. Briand, “Context-based
intrusion detection using snort, nessus and bugtraq databases.” in PST,
2005.
[12] A. Sadighian, S. T. Zargar, J. M. Fernandez, and A. Lemay,
“Semantic-based context-aware alert fusion for distributed intrusion
detection systems,” in Risks and Security of Internet and Systems
(CRiSIS), 2013 International Conference on. IEEE, 2013, pp. 1–6.
[13] S. Yahi, S. Benferhat, and T. Kenaza, “Conflicts handling in
cooperative intrusion detection: A description logic approach,” in Tools
with Artificial Intelligence (ICTAI), 2010 22nd IEEE International
Conference on, vol. 2. IEEE, 2010, pp. 360–362.
[14] A. Sadighian, J. M. Fernandez, A. Lemay, and S. T. Zargar, “Ontids:
A highly flexible context-aware and ontology-based alert correlation
framework,” in Foundations and Practice of Security. Springer, 2014,
pp. 161–177.
[15] R. Gula, “Correlating ids alerts with vulnerability information,” Tenable
Network Security, Revision 4, Tech. Rep., 2011.
[16] J. A. Wang and M. Guo, “Ovm: an ontology for vulnerability
management,” in Proceedings of the 5th Annual Workshop on Cyber
Security and Information Intelligence Research: Cyber Security and
Information Intelligence Challenges and Strategies. ACM, 2009, p. 34.
[17] N. Boustia and A. Mokhtari, “A dynamic access control model,” Applied
Intelligence, vol. 36, no. 1, pp. 190–207, 2012.
[18] F. Coupey and C. Fouquer, “Extending conceptual definitions with
default knowledge,” Computational Intelligence, vol. 13, no. 2, pp.
401–456, 1997.
[19] F. Baader, The description logic handbook: Theory, implementation and
applications. Cambridge university press, 2003.
[20] P. Coupey and C. Fouquer´e, “Extending conceptual definitions with
default knowledge,” Computational Intelligence, vol. 13, no. 2, pp.
258–299, 1997.
[21] R. J. Brachman, D. L. McGuinness, P. F. Patel-Schneider, L. A. Resnick,
and A. Borgida, “Living with classic: When and how to use a kl-one-like
language,” Principles of semantic networks, vol. 401456, 1991.
[22] F. Cuppens and A. Miege, “Alert correlation in a cooperative intrusion
detection framework,” in Security and Privacy, 2002. Proceedings. 2002
IEEE Symposium on. IEEE, 2002, pp. 202–215.
[23] F. Cuppens, “Managing alerts in a multi-intrusion detection
environment,” in acsac. IEEE, 2001, p. 0022.
[24] K. Tabia, S. Benferhat, P. Leray, and L. M´e, “Alert correlation
in intrusion detection: Combining ai-based approaches for exploiting
security operators’ knowledge and preferences,” in Security and
Artificial Intelligence (SecArt), 2011, p. NC.
[25] S. Benferhat and K. Sedki, “A preference logic-based approach for alert
correlation,” Logics in Security, p. 20, 2010.
[26] L. Bouzar-Benlabiod, S. Benferhat, and T. Boubana-Tebibel, “Integrating
security operator knowledge and preferences to the alert correlation
process,” in Machine and Web Intelligence (ICMWI), 2010 International
Conference on, Oct 2010, pp. 416–420.