A Comprehensive Semi-Suprvised Model for Collaborative Intrusion Detection Based on Network Behavior Profiling Using The Concept of Deep Learning and Fuzzy Correlation of Alerts along

Document Type : Original Article

Authors

1 Assistant Professor, University of Science and Technology, Tehran, Iran

2 Associate Professor, University of Science and Technology, Tehran, Iran

3 PhD Student, Department of Information Technology Management, Faculty of Management and Economics, Islamic Azad University, Science and Research Branch, Tehran, Iran

4 Assistant Professor, Islamic Azad University, Karaj Branch, Karaj, Iran

Abstract

Today, intrusion detection systems are extremely important in securing computers and computer networks. Correlated systems are next to intrusion detection systems by analyzing and combining the alarms received from them, appropriate reports for review and producing security measures. One of the problems face intrusion detection systems is generating a large volume of false alarms, so one of the most important issues in correlated systems is to check the alerts received by the intrusion detection system to distinguish true-positive alarms from false-positive alarms. The main focus of this research is on the applied optimization of classification methods to reduce the cost of organizations and security expert time in alert checking. The proposed Incrimental Intrusion Detetection Model using Correlator (IIDMC) is tested on a valid test dataset and the results show the efficiency of the proposed model and consequently its high accuracy.

Keywords


[1]   H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection system: A comprehensive review,” Journal of Network and Computer Applications, vol. 36, no. 1, Art. no. 1, 2013.##
[2]   B. Morin and H. Debar, “Correlation of Intrusion Symptoms: An Application of Chronicles,” in Recent Advances in Intrusion Detection, Berlin, Heidelberg, 2003, pp. 94 112, doi: 10.1007/978-3-540-45248-5_6.##
[3]  A. A. Ghorbani, W. Lu, and M. Tavallaee, Network Intrusion Detection and Prevention: Concepts and Techniques. Springer Science & Business Media, 2010.##
[4]   C. V. Zhou, C. Leckie, and S. Karunasekera, “A survey of coordinated attacks and collaborative intrusion detection,” Computers & Security, vol. 29, no. 1, pp. 124–140, Feb. 2010, doi: 10.1016/j.cose.2009.06.008.##
[5]   Y. Bai and H. Kobayashi, “Intrusion Detection Systems: technology and development,” in 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003., Mar. 2003, pp. 710–715, doi: 10.1109/AINA.2003.1192972.##
[6]   A. S. Sodiya, H. O. D. Longe, and A. T. Akinwale, “A new two‐ tiered strategy to intrusion detection,” Information Management & Computer Security, vol. 12, no. 1, Art. no. 1, Jan. 2004, doi: 10.1108/09685220410518810.##
[7]   S. Duque and Mohd. N. bin Omar, “Using Data Mining Algorithms for Developing a Model for Intrusion Detection System (IDS),” Procedia Computer Science, vol. 61, pp. 46– 51, Jan. 2015, doi: 10.1016/j.procs.2015.09.145.##
[8]   N. K. Kanakarajan and K. Muniasamy, “Improving the Accuracy of Intrusion Detection Using GAR-Forest with Feature Selection,” in Proceedings of the 4th International Conference on Frontiers in Intelligent Computing: Theory and Applications (FICTA) 2015, New Delhi, 2016, pp. 539–547, doi: 10.1007/978-81-322-2695-6_45.##
[9] J. A. Khan and N. Jain, “A survey on intrusion detection systems and classification techniques,” Int. J. Sci. Res. Sci., Eng. Technol., vol. 2, no. 5, pp. 202–208, 2016.##
[10] D. Gupta, S. Singhal, S. Malik, and A. Singh, “Network intrusion detection system using various data mining techniques,” in 2016 International Conference on Research Advances in Integrated Navigation Systems (RAINS), May 2016, pp. 1–6, doi: 10.1109/RAINS.2016.7764418.##
[11] W.-Y. Yu and H.-M. Lee, “An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods,” in Pacific-Asia Workshop on Intelligence and Security Informatics, 2009, pp. 155–160.##
[12] Y. Yi, J. Wu, and W. Xu, “Incremental SVM based on reserved set for network intrusion detection,” Expert Systems with Applications, vol. 38, no. 6, pp. 7698–7707, 2011.##
[13] K. K. Gupta, B. Nath, and R. Kotagiri, “Layered Approach Using Conditional Random Fields for Intrusion Detection,” IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 1, pp. 35–49, Jan. 2010, doi: 10.1109/TDSC.2008.20.##
[14] R. Sadoddin and A. A. Ghorbani, “An incremental frequent structure mining framework for real-time alert correlation,” Computers & Security, vol. 28, no. 3, pp. 153–173, 2010, doi: 10.1016/j.cose.2008.11.010.##
[15] G. P. Spathoulas and S. K. Katsikas, “Reducing false positives in intrusion detection systems,” Computers & Security, vol. 29, no. 1, pp. 35–44, Feb. 2010, doi: 10.1016/j.cose.2009.07.008.##
[16] B. Zhu and A. A. Ghorbani, “Alert correlation for extracting attack strategies,” IJ Network Security, vol. 3, no. 3, pp. 244– 258, 2006.##
[17] P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack scenarios through correlation of intrusion alerts,” in Proceedings of the 9th ACM conference on Computer and communications security, Washington, DC, USA, Nov. 2002, pp. 245–254, doi: 10.1145/586110.586144.##
[18] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Techniques and tools for analyzing intrusion alerts,” ACM Trans. Inf. Syst. Secur., vol. 7, no. 2, pp. 274–318, May 2004, doi: 10.1145/996943.996947.##
[19] S. O. Al-Mamory and H. L. Zhang, “Building Scenario Graph Using Clustering,” in 2007 International Conference on Convergence Information Technology (ICCIT 2007), Nov. 2007, pp. 799–804, doi: 10.1109/ICCIT.2007.51.##
[20] S. O. Al-Mamory and H. L. Zhang, “Scenario Discovery Using Abstracted Correlation Graph,” in 2007 International Conference on Computational Intelligence and Security (CIS 2007) , Dec. 2007, pp. 702–706, doi: 10.1109/CIS.2007.21##
[21] A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer, and B. D. Payne, “Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices,” ACM Comput. Surv., vol. 48, no. 1, p. 12:1–12:41, Sep. 2015, doi: 10.1145/2808691.##
 [22] R. Kandhari, V. Chandola, A. Banerjee, V. Kumar, and R. Kandhari, “Anomaly detection,” ACM Comput. Surv, vol. 41, no. 3, pp. 1–6, 2009.##
[23] J. Arshad, P. Townend, and J. Xu, “A novel intrusion severity analysis approach for Clouds,” Future Generation Computer Systems, vol. 29, no. 1, pp. 416–428, Jan. 2013, doi: 10.1016/j.future.2011.08.009.##
[24] F. Shen and O. Hasegawa, “A fast nearest neighbor classifier based on self-organizing incremental neural network,” Neural Networks, vol. 21, no. 10, pp. 1537–1547, Dec. 2008, doi: 10.1016/j.neunet.2008.07.001.##
[25] F. A. Gers, J. Schmidhuber, and F. Cummins, “Learning to forget: Continual prediction with LSTM,” 1999.##
[26] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” in Recent Advances in Intrusion Detection, Berlin, Heidelberg, 2001, pp. 54–68, doi: 10.1007/3-540-45474-8_4.##
[27] K. Polat and S. Güneş, “Principles component analysis, fuzzy weighting pre-processing and artificial immune recognition system based diagnostic system for diagnosis of lung cancer,” Expert Systems with Applications, vol. 34, no. 1, pp. 214–221, Jan. 2008, doi: 10.1016/j.eswa.2006.09.001.##
[28] “DARPA 2000 Intrusion Detection Scenario Specific Datasets | MIT Lincoln Laboratory.” https://www.ll.mit.edu/rd/ datasets/2000-darpa-intrusion-detection-scenario-specificdatasets (accessed Aug. 07, 2020).##
[29] “KDD Cup 1999 Data.” http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (accessed Aug. 07, 2020).##
[30] “Learning to Forget: Continual Prediction with LSTM | Neural Computation | MIT Press Journals.” https://www.mitpressjournals.org/doi/abs/10.1162/089976600  300015015 (accessed Aug. 28, 2020).##
[31] W.-Y. Yu and H.-M. Lee, “An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods,” in Pacific-Asia Workshop on Intelligence and Security Informatics, 2009, pp. 155–160.##
[32] S. T. Sarasamma and Q. A. Zhu, “Min-max hyperellipsoidal clustering for anomaly detection in network security,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 36, no. 4, pp. 887–901, Aug. 2006, doi: 10.1109/TSMCB.2006.870629.##
Volume 9, Issue 3 - Serial Number 35
Serial No. 35, Autumn Quarterly
December 2021
Pages 165-186
  • Receive Date: 11 March 2021
  • Revise Date: 07 May 2021
  • Accept Date: 08 June 2021
  • Publish Date: 22 November 2021