Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad
Intrusion Detection Signatures poorly describe the attack making them trigger on benign traffic as a result. Processing time restrictions often leads to shortcuts. Writing correct signatures is a difficult task. Signatures triggers on rare or suspicious traffic. Trigger on low-level phenomenas.
Research Questions Can alerts effectively be correlated with frequent episodes? How effective is false positive reduction?
Data Gathering KDD Cup ’99 –5 Weeks of traffic data. –2 attack free weeks. Honeynet –3 computers Apache FTP SQL Server –Automated attacks
System Overview IDS Alert log Data mining FilterOutput Rules Accepted Rules
Data Mining Data preperation: –Parse SNORT alert log –Parse BRO alert log Data mining: –Phase 1: Frequent episodes. –Phase 2: Remove unwanted episodes. –Phase 3: Attribute rules Analysis: –Present rules
Data Preperation [**] [1:1200:10] ATTACK-RESPONSES Invalid URL [**] [Classification: Attempted Information Leak] [Priority: 2] 03/01-15:28: :80 -> :6243 TCP TTL:63 TOS:0x0 ID:7669 IpLen:20 DgmLen:473 DF ***AP*** Seq: 0xC832EB1A Ack: 0xA Win: 0x7FE0 TcpLen: 20 [Xref => mspx]
Data Preperation Alert attributes –ID, the type of alert. –Source IP. –Destination IP. –Source port. –Destination port. –TTL, time to live. –IP, size of IP header in bytes. –Dgmlen, size of packet in bytes. –Time, time of occurrence.
Data Mining Data preperation: –Parse SNORT alert log –Parse BRO alert log Data mining: –Phase 1: Frequent Episodes. –Phase 2: Remove unwanted episodes. –Phase 3: Attribute rules Analysis: –Present rules
Frequent Episodes Events: –Single action –Alarm –System input Sequence of events
Frequent Episodes Episode: a collection of event. Episode Types: –Parallell –Serial –Complex AC A B A C B
Frequent Episodes Episode: Subepisodes: ABC AB AC BC
Attribute Rules Intra-episode rules –A.SourceIP = B.SourceIP –A.DestinationIP = B.DestinationIP Inter-episode rules –A.DestinationPort = 80 AB
Data Mining Data preperation: –Parse SNORT alert log –Parse BRO alert log Data mining: –Phase 1: Frequent Episodes. –Phase 2: Remove unwanted episodes. –Phase 3: Attribute rules Analysis: –Present rules
Data Mining Data preperation: –Parse SNORT alert log –Parse BRO alert log Data mining: –Phase 1: Frequent Episodes. –Phase 2: Remove unwanted episodes. –Phase 3: Attribute rules Analysis: –Present rules
Rules Generated IF [1:1013:11] THEN [1:1012:12] conf(0.353) freq(0.006) [1:1288:10] IF [1:1013:11] [1:1012:12] THEN [1:1288:10] conf(1.0) freq(0.006) [1].src = [2].src = [3].src [1].dst = [2].dst = [3].dst [1].src_port = [2].src_port = [3].src_port [1].dst_port = [2].dst_port = [3].dst_port [1].ttl = [2].ttl = [3].ttl [1].dgmlen = [2].dgmlen = [3].dgmlen [1].dst_port = 80 [2].dst_port = 80 [3].dst_port = 80 [1].ttl = 64 [2].ttl = 64 [3].ttl = 64 [1].src = [2].src = [3].src = [1].dst = [2].dst = [3].dst = IF [1:1149:13] THEN [1:1149:13] conf(0.53) freq(0.007) [1].src = [2].src [1].dst = [2].dst [1].dst_port = E[2].dst_port [1].ttl = E[2].ttl [1].dst_port = 80 [2].dst_port = 80 [1].ttl = 64 [2].ttl = 64
Results Week 1Week 4
Questions?