Enhanced framework for alert processing using clustering approach based on artificial immune system

The Intrusion Detection System (IDS) is an industrial-driven technology that monitors the network infrastructure of an organization from malicious intent. Although the IDS technology has advanced tremendously, one of the main issues that still remains since its beginning is the huge amount of attack...

Full description

Saved in:
Bibliographic Details
Main Author: Mohamed, Ashara Banu
Format: Thesis
Language:English
Published: 2015
Subjects:
Online Access:http://eprints.utm.my/id/eprint/54892/1/AsharaBanuMohamedPFC2015.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The Intrusion Detection System (IDS) is an industrial-driven technology that monitors the network infrastructure of an organization from malicious intent. Although the IDS technology has advanced tremendously, one of the main issues that still remains since its beginning is the huge amount of attack alerts that have to be processed immediately on a daily basis. To manage these alerts effectively, both techniques of data reduction and correlation have to be applied concurrently. Therefore, this research proposes a framework named Intelligent Alert Processing Framework (lAPF) that incorporates both techniques named Alert Reduction Module (ARM) and Alert Correlation Module (ACM) to produce an integrated result. The ARM consists of a new clustering algorithm inspired by the Artificial Immune System (AIS) approach which is the Clonal Selection principle, while the ACM is based on pattern recognition approach. The new clustering algorithm introduces a one-to-one clustering method that first and foremost creates cluster based on a perfect matching criterion and next calculates its vulnerability level. Clusters with 0 vulnerability level will be filtered while other clusters will than proceed to ACM for attack scenario formulation and its successful attack scenario probability. The IAPF was successfully experimented using a standard simulated dataset and a real-time dataset from PRISMA (Pemantauan Rangkaian ICT Sektor Awam). The result of the experiment indicated that ARM achieved accurate clustering output, with zero cluster error within an average of 6.36 seconds processing time and the reduction rate of alerts attained is 95.34%. Meanwhile ACM managed to detect all possible attack scenarios based on the predefined patterns. The proposed framework has reduced the number of alerts, creates attack scenarios and simultaneously produced vulnerability level for each clusters and the correlated successful attack scenario probability.