Abstract
Over the past decades more and more network security devices, such as IDS, Firewall and scanner, are distributed in the network. So superfluous alerts are generated, and do not have unified format. How to organize and utilize those alerts to enhance network security becomes a hot topic of research. Network-warning system, which can correlate alerts and predict future attacks, appears as one promising solution for the problem. In this paper, an intelligent strong-survivability network-warning model is introduced, which consists of a lot of intelligent agents. And a prototype is implemented based on the model. We propose a self-adaptive data-processing algorithm for classifying and reducing alerts automatically, and design a strong-survivability structure. The intelligence of self-adaptive algorithm depends on machine learning. In the prototype we adopt three methods (C5.0, Neural Net and CART) to construct the self-adaptive algorithm, and choose the best method fitting the algorithm, which is CART. The prototype can not only reduce and classify the original alert data from different network security devices, but also correlate alerts and generate intrusion scenario graphs. The equality of all agents makes the model strong-survivable. Furthermore, the model can predict potential attacks based on scenario graphs and track the attack sources.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Hu, H., Zhang, Y.: The Study of Large Scale Networks Intrusion Detection and Warning System. Journal of National University of Defence Technology 25(1), 21–25 (2003)
Sun, J., Zeng, H.: Network Security Testing and Alarming. Computer Engineering 27(7), 109–111 (2001)
Li, Z., Li, W.: Research on Early-warning and Quarantine System of Large-scale Network Intrusion. Application Research of computers 21(12), 100–104 (2004)
Zhang, X., Qin, Z., Liu, J.: Research on the Network Security Architecture for Distributed Early Warning. Computer Applications 24(5), 36–39 (2004)
Bakar, N.A., Belaton, B.: Towards Implementing Intrusion Alert Quality Framework. In: DFMA 2005, pp. 198–205 (2005)
Curry, D., Debar, H.: Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition. draft-itetf-idwg-idmef-xml-03.txt (February 2001)
Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4) (2003)
Wang, J., Lee, I.: Measuring False-Positive by Automated Real-Time correlated Hacking Behavior Analysis. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 512–535. Springer, Heidelberg (2001)
Law, K.H., Kwok, L.F.: IDS False Alarm Filtering Using KNN Classifier. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 114–121. Springer, Heidelberg (2005)
Tadeusz, P.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)
Shin, M.S., Kim, E.H.: False Alarm Classification Model for Network-Based Intrusion Detection System. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 259–265. Springer, Heidelberg (2004)
Su, L., Hou, C., Dai, Z.: Alarm Correlation based on Neural Net. Journal of Beijing Institute of Technology(Natural Science Edition) 22(3), 297–299 (2002)
Ji, W., Zhou, A., Zhang, L.: Application of C5.0 Algorithm in Passing Ball Training of RoboCup. Journal of Software 13(2), 245–249 (2002)
Zhang, J., Han, G., Zhang, W.: Application of C5.0 Algorithm in Passing Ball Training of RoboCup. Compuer Simulation 23(4), 131–134 (2006)
Lewis, R.J.: An Introduction to Classification and Regression Tree (CART) Analysis. The 2000 Annual Meeting of the Society for Academic Emergency Medicine in San Francisco, California (2000)
DARPA 2000 intrusion detection evaluation datasets. Lincoln Lab MIT (2000), http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
DARPA Intrusion Detection Evaluation datasets, MIT Lincoln Laboratory, http://www.ll.mit.edu/IST/ideval/2000/1999_data_index.html
Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur 7(2), 274–318 (2004)
Yang, B., Hu, H.: Research on fine-Grained equal dynamic migration technique based WAN. Compuer Engineer and Science 26(2), 4–7 (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, B., Hu, H., Duan, X., Jin, S. (2007). An Intelligent Network-Warning Model with Strong Survivability. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds) Cryptology and Network Security. CANS 2007. Lecture Notes in Computer Science, vol 4856. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76969-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-76969-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76968-2
Online ISBN: 978-3-540-76969-9
eBook Packages: Computer ScienceComputer Science (R0)