Loading...
Please wait, while we are loading the content...
Similar Documents
Prioritizing Intrusion Analysis Using Dempster-Shafer Theory students :
| Content Provider | Semantic Scholar |
|---|---|
| Author | Zomlot, Loai Sundaramurthy, Sathya Chandran |
| Copyright Year | 2011 |
| Abstract | Intrusion analysis, i.e. the process of combing through IDS alerts and audit logs to identify true successful and attemp ted attacks, remains a difficult problem in practical network security defense. The major root cause of this problem is the large rate of false pos itives in the sensors used by IDS systems to detect malicious activiti es. This work presents an approach to handling such uncertainty through t he DempsterShafer (DS) theory that uses a generalization of probabilit es called beliefs to characterize confidence in evidence in support of a given h ypothesis. We address a number of practical but fundamental issues in appl ying DS to intrusion analysis, including how to model sensors' trustworthiness, where to obtain such parameters, and how to address the lack of inde pendence among alerts. We present an efficient algorithm for computing a belief score for a given hypothesis,e.g. a specific machine is compromised. The belief strength can be used to prioritize further analysis by a human analyst of the hypotheses and the associated evidence. We ha ve implemented our approach for the open-source IDS system Snort and evalua ted its effectiveness on a number of data sets as well as a production network. The verification of belief scores showed that it can be effect ive in taming the high false positive rate problem in intrusion analysis. I. I NTRODUCTION Intrusion analysis is the process of examining real-time ev ents such as IDS alerts and audit logs to identify and confirm successfu l attacks and attack attempts into computer systems. The IDS sensors t hat we have to rely on for this purpose often suffer from a large fals e positive rate. It then becomes the responsibility of a human monitori g the IDS system to distinguish the true alarms from the enormous n umber of false ones. How to deal with the prevalence of false positi ves is the primary challenge in making IDS sensors useful, as poi nted out by Axelsson [ 1] more than 10 years ago. Due to the lack of effective techniques to handle the false-positive problem , it has become a common practice to altogether disable IDS signatures that tend to trigger large amount of false positive. Turning off IDS sign atures is like turning a blind eye to attack possibilities, which we b lieve is a dilemma due to the lack of effective techniques to prioritize investigating intrusions from the large amount of IDS alert s and audit logs. There have been past attempts [ 9, 10] at prioritizing IDS alerts based on their trustworthiness – Bayesian analysis [ 5] has been the standard and there have been some approaches using alternative theor ies such as Dempster-Shafer theory [ 7]. However, a number ofundamental issuesin applying these mathematical theories to intrusion analy sis remain to be addressed. For Bayesian analysis, it seems diffi cult to establish adequate priors or determine the probability par ameters in a robust manner. For Dempster-Shafer theory, it is not clear how to model sensor quality, where to obtain such parameters, and h ow to handle non-independent sources of evidence. Our investigation reveals that Dempster-Shafer theory has its unique advantages in handling uncertainty in intrusion analysis, namely, the lack of need for specifying prior probabilities of all event s and the ability to combine beliefs from multiple sources of evidenc [2, 3, 9]. In this work we present an extended Dempster-Shafer model th at addresses the fundamental issues in applying DS in intrusio n analysis. We have implemented our method on top of an existing IDS alert correlation tool, so that one can calculate a numeric confide ce score for each derived hypothesis and prioritize the results base d on the scores. II. BACKGROUND ON DEMPSTER-SHAFER THEORY A common example to illustrate the difference between proba bility theory and Dempster-Shafer theory is that if we toss a coin wi th an unknown bias, probability will still assign 50% for Head and 50% for Tail by the principle of indifference. Dempster-Shafer theory, on the other hand, handles this by assigning 0% belief to {Head} and {Tail} and assigning 100% belief to the set {Head, Tail}, meaning “either Head or Tail”. More generally, the DS approach allow s for three kinds of answers: Yes, No, or Don't know , the last option of allowing ignorance makes a big difference in evidential rea soning [4]. In DS theory, a set of disjoint hypotheses of interest, e.g., {attack, no-attack}, is called aframe of discernment . The basic probability assignment(bpa function), distributes the belief over the power setof the frame of discernment and is defined as: mθ : 2 θ → [0, 1] (1) Definition 1. Let θ be a frame of discernment and mθ a bpa function. The belief function is defined as For x ⊆ θ Bel(x) = ∑ |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | http://people.cis.ksu.edu/~sathya/papers/oakland11Poster.pdf |
| Alternate Webpage(s) | http://www.ieee-security.org/TC/SP2011/posters/Prioritizing_Intrusion_Analysis_Using_Dempster-Shafer_Theory.pdf |
| Alternate Webpage(s) | http://people.cs.ksu.edu/~sathya/papers/oakland11Poster.pdf |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
