Measuring false-positive by automated real-time correlated hacking behavior analysis

Abstract

To solve the contradiction between the trend of more distributednetwork architecture and the demanding for more centralized correlatedanalysis to detect more complicated attacks from Intrusion Detection System(IDS), we first proposed in this paper an IDS architecture framework, whichcould collect relevant detected alert data from distributed diverse IDSes intoone or more centralized point(s), and then efficient correlation analysis wouldbe processed on shared data, after that, the meaningful and supportiveknowledge rules from analysis results were be generated and automaticallypushed back to each subscribed local IDS on scheduled time or even in realtime, so that local IDS could utilize these rules to analyze new coming traffic.We also defined the XML format for those knowledge rule informationgenerated by our hacking behavior correlation algorithms. We then presentedseven mathematical algorithms on correlated hacking behavior analysis. Inorder for local IDS to effectively measure the false positive possibility of a newcoming alert, we introduced three different approaches using some data miningand statistic models, including 1-Rule, Bagging Method and Native BayerMethod. By applying these methods to utilize and analyze the collectedcorrelated knowledge rules, we could derive quite good quality of true attackconfidence value for each coming detected alert. We also developed asimulation program implementing all these correlation algorithms and all thosedata mining and statistic models. We simply tested these algorithms with MITLincoln Lab’s 1999 IDS evaluation data, and concluded that by utilizing thesepreliminary results, local IDS subscribed to this framework could derive acertain measurement of how confident an alarm is true attack in real timemanner and even lower false positive rate if certain threshold applied.