A bio-inspired comprehensive distributed correlation approach for intrusion detection alerts and events

Abstract

In a complex network with intrusion detection and logging, a huge number of alerts and logs are generated to report the status of the network, servers, systems, and applications running on this network. The administrator(s) are required to analyze these pieces of information to generate an overview about the network, hacking attempts and vulnerable points within the network. Unfortunately, with the enormous number of alerts and recorded events that grows as the network grows, this task is almost impossible without an analysis and reporting model. Alerts and events correlation is a process in which the alerts produced by one or more intrusion detection systems and events generated from different systems and security tools are analyzed and correlated to provide a more succinct and high-level view of occurring or attempted intrusions and attacks. While the existing correlation techniques improve the intrusion detection results and reduce the huge number of alerts in a summarized report, they still have some drawbacks. This article presents a modular framework for a Distributed Agent Correlation Model (DACM) for intrusion detection alerts and events in computer networks. The framework supports the integration of multiple correlation techniques. It introduces a multi-agent distributed model in a hierarchical organization; correlates alerts from the IDS with attack signatures from information security tools and either system or application log files as other sources of information. The agent model is inspired by bio-distribution of cooperatingmembers of a society to achieve a common goal. Each local agent aggregates/correlates events from its source according to a specific pattern matching. Correlation between multiple sources of information and the integration of these correlation agents together forms a complete integrated correlation system and reduces both false negative and false positive alerts, enhancing intrusion detection accuracy and completeness. The model has been implemented and tested using a set of datasets. Agents proposed models and algorithms have been implemented, analyzed, and evaluated to measure detection and correlation rates and the reduction rate of false positive and false negativealerts. The results showed that DACMenhances both the accuracy and completeness of intrusion detection by reducing both false positive and false negative alerts; it also enhances the early detection new threats.