Documente Academic
Documente Profesional
Documente Cultură
I.
INTRODUCTION
PREVIOUS WORK
1783
define them. Wenke Lee [9] identifies the following major cost
factors: damage cost, response cost.
1) Damage cost (DCost) characterizes the amount of damage
to a target resource by an attack when intrusion detection is
unavailable or ineffective.
2) Response cost (RCost) is the cost of acting upon an alarm
or log entry that indicates a potential intrusion.
To determine whether response will be taken, DCost and
RCost must be considered. If the damage done by the attack to
resource r is less than RCost, then ignoring the attack actually
reduces the overall cost. For example, e is an intrusion incident,
if RCost(e)>DCost(e) , the intrusion is not responded to
beyond simply logging its occurrence, and the loss is DCost(e).
If RCost(e)!DCost(e), then the intrusion is acted upon and the
loss is limited to RCost(e). In reality, however, by the time an
attack is detected and response ensues, some damage may have
incurred.
III.
Alert Aggregation
MIT Lincoln Lab [10] first categorizes the intrusions
occurring in the dataset into U2R, DOS, R2L, and PROBE,
based on their intrusion results.
Then within each of these categories, the intrusions are
further partitioned by the techniques used to execute the
intrusion. Intrusions of each sub-category can be further
partitioned according to the attack type name, destination IP
address and interval. If S is the similar degree of each intrusion
incident, A, D and I are the similar degree of attack type name,
destination IP address and interval respectively. Toward every
two alerts, discussed blow.
1) Attack type name
names are identical
#1
(1)
A="
!0 names are not identical
2) Destination IP address
As an attacker may be able to launch attacks through
imitative source IP addresses, it is useful to be able to quantify
the proximity of two destination IP addresses. D = 1 when the
two destination IP addresses are identical, and D = 0 when
there is no way the two addresses could be on the same subnet.
IP addresses are identical
#1
$
D = "0.5
IP are not identical but on the same subnet (2)
$0
IP addresses are not on the same subnet
!
1) IDSs
The intrusions are captured by IDSs and then are written to
the database. This paper uses SNORT and Mysql as the
assistant implements.
2) Interface
3) Interval
Interface will send the available data to the Clustering Model
Supposing that the interval of two incidents is T.
through reading the database when there is a new intrusion
1
T 10 min
#
detected.
$
(3)
I = "(30 T ) / 20
10 min < T 30 min
3) Alert Aggregation
$
0
T > 30 min
One of the main weaknesses of current IDSs is that they
!
often generate too many same or similar alerts for one intrusion.
In terms of (1), (2) and (3)
This will make administers very baffle and headache confront
(4)
S = A+ D+ I
to so much data. As a result, a better method to solve above
To each of four categories, a threshold will be defined
problem is making use of the aggregation to category the alerts. respectively. For example, a new alert comes from Interface
4) Response Process Unit (RPU)
model, its incident number is N, then it will be compared with
1784
2) Assistant Information
Assistant Information contains some information about
machines in the local protected Networks. It not only can
adjust the value of the RI, but also can afford information to
the Response Process Unit in case attacked target is
unavailable as a result of the intrusion.
Alert Confidence
The confidence of alerts comes from each IDS. Along with
confidence increases, the value of RI will be added.
Operate System
This factor contains a list of the operating systems installed
on the target, their versions, and the most recent updates. By
knowing the operating system installed, the RI is able to
determine if the system is vulnerable to the attack or not.
System Vulnerability
The System Vulnerability defines all kinds of OS
vulnerability issued up to the minute, and which vulnerability
is being attempted in the attack. By identifying the relevant
vulnerability, the RPU will be able to estimate which action
will be adapted.
System Importance
The System Importance points out that target are a host, or a
server, or a router and different target has different important
degree. For instance, the RI of a router is higher than the one of
a host. Because that if a router is attacked, there are many hosts
that connect with it in danger.
3) Response Cost
This is another critical factor affecting the RI, this paper
uses cost given by Wenke Lee [9].
TABLE I
THE COST OF CATEGORY
Category
ROOT
R2L
DOS
PROBE
Sub-Category
local
remote
single
multiple
crashing
consumption
simple
stealth
DCost
100
100
50
50
30
30
2
2
RCost
40
60
20
40
10
15
5
7
1785
1786