Adaptive alarm filtering by causal correlation consideration in intrusion detection

Heng Sheng Lin; Hsing Kuo Pao; Ching Hao Mao; Hahn Ming Lee; Tsuhan Chen; Yuh-Jye Lee

doi:10.1007/978-3-642-00909-9_42

Adaptive alarm filtering by causal correlation consideration in intrusion detection

Heng Sheng Lin^*, Hsing Kuo Pao, Ching Hao Mao, Hahn Ming Lee, Tsuhan Chen, Yuh-Jye Lee

^*Corresponding author for this work

Department of Applied Mathematics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

10 Scopus citations

Abstract

One of the main difficulties in most modern Intrusion Detection Systems is the problem of massive alarms generated by the systems. The alarms may either be false alarms which are wrongly classified by a sensitive model, or duplicated alarms which may be issued by various intrusion detectors or be issued at different time for the same attack. We focus on learning-based alarm filtering system. The system takes alarms as the input which may include the alarms from several intrusion detectors, or the alarms issued in different time such as for multi-step attacks. The goal is to filter those alarms with high accuracy and enough representative capability so that the number of false alarms and duplicated alarms can be reduced and the efforts from alarm analysts can be significantly saved. To achieve that, we consider the causal correlation between relevant alarms in the temporal domain to re-label the alarm either to be a false alarm, a duplicated alarm, or a representative true alarm. To be more specific, recognizing the importance of causal correlation can also help us to find novel attacks. As another feature of our system, our system can deal with the frequent changes of network environment. The framework gives the judgment of attacks adaptively. An ensemble of classifiers is adopted for the purpose. Accordingly, we propose a system mainly consisting of two components: one is for alarm filtering to reduce the number of false alarms and duplicated alarms; and one is the ensemble-based adaptive learner which is capable of adapting to environment changes through automatic tuning given the expertise feedback. Two datasets are evaluated.

Original language	English
Title of host publication	New Advances in Intelligent Decision Technologies
Subtitle of host publication	Results of the First KES International Symposium IDT 2009
Editors	Kazumi Nakamatsu, Gloria Phillips-Wren, Lakhmi Jain, Robert Howlett
Publisher	Springer Verlag
Pages	437-447
Number of pages	11
ISBN (Print)	9783642009082
DOIs	https://doi.org/10.1007/978-3-642-00909-9_42
State	Published - 7 May 2009

Publication series

Name	Studies in Computational Intelligence
Volume	199
ISSN (Print)	1860-949X

Keywords

Adaptive learning
Alarm filtering
Ensemble
False alarm
Intrusion detection

Access to Document

10.1007/978-3-642-00909-9_42

Fingerprint Dive into the research topics of 'Adaptive alarm filtering by causal correlation consideration in intrusion detection'. Together they form a unique fingerprint.

Cite this

Lin, H. S., Pao, H. K., Mao, C. H., Lee, H. M., Chen, T., & Lee, Y-J. (2009). Adaptive alarm filtering by causal correlation consideration in intrusion detection. In K. Nakamatsu, G. Phillips-Wren, L. Jain, & R. Howlett (Eds.), New Advances in Intelligent Decision Technologies: Results of the First KES International Symposium IDT 2009 (pp. 437-447). (Studies in Computational Intelligence; Vol. 199). Springer Verlag. https://doi.org/10.1007/978-3-642-00909-9_42

Lin, Heng Sheng ; Pao, Hsing Kuo ; Mao, Ching Hao ; Lee, Hahn Ming ; Chen, Tsuhan ; Lee, Yuh-Jye. / Adaptive alarm filtering by causal correlation consideration in intrusion detection. New Advances in Intelligent Decision Technologies: Results of the First KES International Symposium IDT 2009. editor / Kazumi Nakamatsu ; Gloria Phillips-Wren ; Lakhmi Jain ; Robert Howlett. Springer Verlag, 2009. pp. 437-447 (Studies in Computational Intelligence).

@inproceedings{204a036b7390426cb949ccc14b067bbc,

title = "Adaptive alarm filtering by causal correlation consideration in intrusion detection",

abstract = "One of the main difficulties in most modern Intrusion Detection Systems is the problem of massive alarms generated by the systems. The alarms may either be false alarms which are wrongly classified by a sensitive model, or duplicated alarms which may be issued by various intrusion detectors or be issued at different time for the same attack. We focus on learning-based alarm filtering system. The system takes alarms as the input which may include the alarms from several intrusion detectors, or the alarms issued in different time such as for multi-step attacks. The goal is to filter those alarms with high accuracy and enough representative capability so that the number of false alarms and duplicated alarms can be reduced and the efforts from alarm analysts can be significantly saved. To achieve that, we consider the causal correlation between relevant alarms in the temporal domain to re-label the alarm either to be a false alarm, a duplicated alarm, or a representative true alarm. To be more specific, recognizing the importance of causal correlation can also help us to find novel attacks. As another feature of our system, our system can deal with the frequent changes of network environment. The framework gives the judgment of attacks adaptively. An ensemble of classifiers is adopted for the purpose. Accordingly, we propose a system mainly consisting of two components: one is for alarm filtering to reduce the number of false alarms and duplicated alarms; and one is the ensemble-based adaptive learner which is capable of adapting to environment changes through automatic tuning given the expertise feedback. Two datasets are evaluated.",

keywords = "Adaptive learning, Alarm filtering, Ensemble, False alarm, Intrusion detection",

author = "Lin, {Heng Sheng} and Pao, {Hsing Kuo} and Mao, {Ching Hao} and Lee, {Hahn Ming} and Tsuhan Chen and Yuh-Jye Lee",

year = "2009",

month = may,

day = "7",

doi = "10.1007/978-3-642-00909-9_42",

language = "English",

isbn = "9783642009082",

series = "Studies in Computational Intelligence",

publisher = "Springer Verlag",

pages = "437--447",

editor = "Kazumi Nakamatsu and Gloria Phillips-Wren and Lakhmi Jain and Robert Howlett",

booktitle = "New Advances in Intelligent Decision Technologies",

address = "Germany",

}

Lin, HS, Pao, HK, Mao, CH, Lee, HM, Chen, T & Lee, Y-J 2009, Adaptive alarm filtering by causal correlation consideration in intrusion detection. in K Nakamatsu, G Phillips-Wren, L Jain & R Howlett (eds), New Advances in Intelligent Decision Technologies: Results of the First KES International Symposium IDT 2009. Studies in Computational Intelligence, vol. 199, Springer Verlag, pp. 437-447. https://doi.org/10.1007/978-3-642-00909-9_42

Adaptive alarm filtering by causal correlation consideration in intrusion detection. / Lin, Heng Sheng; Pao, Hsing Kuo; Mao, Ching Hao; Lee, Hahn Ming; Chen, Tsuhan; Lee, Yuh-Jye.

New Advances in Intelligent Decision Technologies: Results of the First KES International Symposium IDT 2009. ed. / Kazumi Nakamatsu; Gloria Phillips-Wren; Lakhmi Jain; Robert Howlett. Springer Verlag, 2009. p. 437-447 (Studies in Computational Intelligence; Vol. 199).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Adaptive alarm filtering by causal correlation consideration in intrusion detection

AU - Lin, Heng Sheng

AU - Pao, Hsing Kuo

AU - Mao, Ching Hao

AU - Lee, Hahn Ming

AU - Chen, Tsuhan

AU - Lee, Yuh-Jye

PY - 2009/5/7

Y1 - 2009/5/7

N2 - One of the main difficulties in most modern Intrusion Detection Systems is the problem of massive alarms generated by the systems. The alarms may either be false alarms which are wrongly classified by a sensitive model, or duplicated alarms which may be issued by various intrusion detectors or be issued at different time for the same attack. We focus on learning-based alarm filtering system. The system takes alarms as the input which may include the alarms from several intrusion detectors, or the alarms issued in different time such as for multi-step attacks. The goal is to filter those alarms with high accuracy and enough representative capability so that the number of false alarms and duplicated alarms can be reduced and the efforts from alarm analysts can be significantly saved. To achieve that, we consider the causal correlation between relevant alarms in the temporal domain to re-label the alarm either to be a false alarm, a duplicated alarm, or a representative true alarm. To be more specific, recognizing the importance of causal correlation can also help us to find novel attacks. As another feature of our system, our system can deal with the frequent changes of network environment. The framework gives the judgment of attacks adaptively. An ensemble of classifiers is adopted for the purpose. Accordingly, we propose a system mainly consisting of two components: one is for alarm filtering to reduce the number of false alarms and duplicated alarms; and one is the ensemble-based adaptive learner which is capable of adapting to environment changes through automatic tuning given the expertise feedback. Two datasets are evaluated.

AB - One of the main difficulties in most modern Intrusion Detection Systems is the problem of massive alarms generated by the systems. The alarms may either be false alarms which are wrongly classified by a sensitive model, or duplicated alarms which may be issued by various intrusion detectors or be issued at different time for the same attack. We focus on learning-based alarm filtering system. The system takes alarms as the input which may include the alarms from several intrusion detectors, or the alarms issued in different time such as for multi-step attacks. The goal is to filter those alarms with high accuracy and enough representative capability so that the number of false alarms and duplicated alarms can be reduced and the efforts from alarm analysts can be significantly saved. To achieve that, we consider the causal correlation between relevant alarms in the temporal domain to re-label the alarm either to be a false alarm, a duplicated alarm, or a representative true alarm. To be more specific, recognizing the importance of causal correlation can also help us to find novel attacks. As another feature of our system, our system can deal with the frequent changes of network environment. The framework gives the judgment of attacks adaptively. An ensemble of classifiers is adopted for the purpose. Accordingly, we propose a system mainly consisting of two components: one is for alarm filtering to reduce the number of false alarms and duplicated alarms; and one is the ensemble-based adaptive learner which is capable of adapting to environment changes through automatic tuning given the expertise feedback. Two datasets are evaluated.

KW - Adaptive learning

KW - Alarm filtering

KW - Ensemble

KW - False alarm

KW - Intrusion detection

UR - http://www.scopus.com/inward/record.url?scp=65449128886&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-00909-9_42

DO - 10.1007/978-3-642-00909-9_42

M3 - Conference contribution

AN - SCOPUS:65449128886

SN - 9783642009082

T3 - Studies in Computational Intelligence

SP - 437

EP - 447

BT - New Advances in Intelligent Decision Technologies

A2 - Nakamatsu, Kazumi

A2 - Phillips-Wren, Gloria

A2 - Jain, Lakhmi

A2 - Howlett, Robert

PB - Springer Verlag

ER -

Lin HS, Pao HK, Mao CH, Lee HM, Chen T, Lee Y-J. Adaptive alarm filtering by causal correlation consideration in intrusion detection. In Nakamatsu K, Phillips-Wren G, Jain L, Howlett R, editors, New Advances in Intelligent Decision Technologies: Results of the First KES International Symposium IDT 2009. Springer Verlag. 2009. p. 437-447. (Studies in Computational Intelligence). https://doi.org/10.1007/978-3-642-00909-9_42