Title: Alert Correlation in Collaborative Intelligent Intrusion Detection Systems-ASurvey

Transcription

1 Title: Alert Correlation in Collaborative Intelligent Intrusion Detection Systems-ASurvey Authors: Izzeldin Mohamed Osman, Huwaida Tagelsir Elshoush PII: S (10)00311-X DOI: doi: /j.asoc Reference: ASOC 1031 To appear in: Applied Soft Computing Received date: Accepted date: Please cite this article as: I.M. Osman, H.T. Elshoush, Alert Correlation in Collaborative Intelligent Intrusion Detection Systems - A Survey, Applied Soft Computing Journal (2010), doi: /j.asoc This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

2 Alert Correlation in Collaborative Intelligent Intrusion Detection Systems - A Survey Abstract Huwaida Tagelsir Elshoush a, and Izzeldin Mohamed Osman b a Department of Computer Science, Faculty of Mathematical Sciences, University of Khartoum, Sudan b Sudan University of Science and Technology, Khartoum, Sudan As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and anomaly-based. A collaborative intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in Soft Computing collectively provide understandable and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS. Key words: 1. Introduction Alert correlation, Collaborative intrusion detection, False positive analysis, and Computational intelligence approaches Multiple complementary security devices such as intrusion detection systems (IDSs) and other preventive security mechanisms (e.g. access control and authentication) are widely deployed to monitor and defend networks and hosts against malicious attacks. Even if preventive security mechanisms may protect the information security, IDSs are also deployed to know the insight of what is happening and thus know the threats and risks that might occur and thereby take appropriate action. An intrusion detection system (IDS) monitors the activities of a given environment and decides whether these activities are malicious or normal based on system integrity, confidentiality and the availability of information resources [53]. When building an IDS one needs to consider many issues, such as data This paper is substantially extended from a preliminary version titled Reducing False Positives through Fuzzy Alert Correlation in Collaborative Intelligent Intrusion Detection Systems - A Review submitted to the 2010 IEEE World Congress on Computational Intelligence, an International Conference on Fuzzy Systems (2010 FUZZ-IEEE), July Corresponding author. phone: ; fax: addresses: htelshoush@uofk.edu (Huwaida Tagelsir Elshoush), izzeldin@acm.org (Izzeldin Mohamed Osman). Fig. 1. Organization of a generalized intrusion detection system [58]. collection, data pre-processing, intrusion recognition, reporting, and response. Among them, intrusion recognition is most vital. Audit data is compared with detection models, which describe the patterns of intrusive behavior, so that both successful and unsuccessful intrusion attempts can be identified [58]. Fig. 1 depicts the organization of an IDS where solid lines indicate data/control flow, while dashed lines indicate responses to intrusive activities [58]. The process of automatically constructing models from data is not trivial, especially for intrusion detection (ID) problems. This is because ID faces problems such as huge network traffic volumes, highly imbalanced data distribution, the difficulty Preprint submitted to Elsevier 25 November 2010 Page 1 of 19

3 to realize decision boundaries between normal and abnormal behavior, and a requirement for continuous adaptation to a constantly changing environment [58]. Still current IDSs techniques are far from satisfactory, as they suffer from several limitations [43,62]: Unfortunately, IDSs provide unmanageable amount of alarms, overwhelming the security administrators. Inspecting thousands of alarms per day is infeasible, especially if 99% of them are false positives (events erroneously classified as attacks) [42]. Certain attacks may not be detected by IDSs. These limitations of IDSs make security investigation not only time-consuming, but also error-prone. It is very challenging for security officers to fully learn the security threats in their networks as well as over the Internet. Thus, there is a need for alert correlation [43,62]. Correlation analyzes the alerts, reduces irrelevant alarms, and groups together individual alerts based on logical relationship between them. Currently, five techniques exist for alert correlation based on [62]: similarity between alert attributes, predefined attack scenarios, prerequisites and consequences of attacks, multiple information sources, and filtering algorithms. Employing multiple IDSs and other security systems gives a better view of the monitored network. It has been proven by many researchers that collaborative approaches are more powerful and give better performance over individual approaches. On the other hand, alert correlation in collaborative intrusion detection systems (CIDSs) will be more challenging. In this paper, we address these issues, together with different system architectures of CIDSs and how to use alert correlation to reduce the false alarms rates (FAR). In addition, privacy issues in alert correlation are also discussed Organization of the Paper The rest of this paper is organized as follows: State-of-theart in IDSs, CIDSs and alarm correlation is reviewed in section 2. In Section 3, different types of IDSs are explained together with their advantages and disadvantages. Collaborative intelligent intrusion detection systems (CIIDSs) are reviewed in Section 4, together with a challenge in collaborative intrusion detection systems (CIDSs), the CIDS system architectures. In particular, another main challenge in CIDS research, namely alert correlation algorithms, is highlighted and addressed in detail in Section 5. In Section 6, Computational Intelligence Approaches and its application in IDSs are discussed. Specifically, attention is drawn on how fuzzy logic can be used to solve problems in IDSs, in anomaly and misuse detectors and peer-to-peer systems. Soft Computing methods are explained in Section 7. The architecture and design of the proposed solution strategy is presented in Section 8, together with explaining how the performance of the proposed system is evaluated and which datasets are used. Section 9 concludes the paper. 2. State-of-the-art Recently, researchers have designed several systems dealing with the problem of false alarms State-of-the-art in IDSs Zhai et al. [64] propose to use Bayesian networks to perform reasoning on complementary security evidence, and thus to potentially reduce false alert rates. In 2008, a data mining alarm clustering technique groups alarms whose root causes are generally similar is done by Al- Mamory [1]. In 2009, a lot of work has been done in the area, some researches are: A hybrid RBF/Elman neural network model that can be employed for both anomaly detection and misuse detection is presented by Tong et al [52]. The IDSs using the hybrid neural network can detect temporally dispersed and collaborative attacks effectively because of its memory of past events. Hoang et al [14] proposed a hybrid fuzzy-based anomaly IDS utilizing hidden Markov model (HMM) detection engine and a normal database detection engine to reduce FAR. An alert-based decision support system (DSS) is proposed by Jan et al [18] to construct an alert classification model for on-line network behavior monitoring. The architecture of DSS consists of three phases: Alert Preprocessing, Model Constructing and Rule Refining. Tsai et al [55] made a review paper to examine and understand the current status of using machine learning techniques to solve the ID problems. In [50], Spathoulas et al used a post-processing filter to reduce FAR in network-based IDSs. The filter comprises three components, each is based upon statistical properties of the input alert set. Maggi et al [24] proposed an alert aggregation algorithm to reduce FAR in anomaly detectors. The close in time of two alerts is measured using fuzzy sets. A performance metric to evaluate the fusion system is also proposed State-of-the-art in CIDSs After several investigations, researchers revealed without doubt that collaborative approaches are more powerful, provide better flexibility, and also give better performance over individual approaches. A Cooperative Anomaly and IDS (CAIDS) integrated system by K. Hwang [16] in 2004 detects not only known attacks but also unknown anomalies. The system integration is enabled by Internet episode datamining, anomaly classification, alert correlation, and automated signature generation. Yu et al [63], in May 2005 presents a collaborative architecture for multiple IDSs to detect real-time network intrusions. 2 Page 2 of 19

4 The architecture is composed of three parts: Collaborative Alert Aggregation, Knowledge-based Alert Evaluation and Alert Correlation to cluster and merge alerts from multiple IDS products to achieve an indirect collaboration among them. In May 2005 also, Depren et al [13] proposed a novel IIDS architecture utilizing both anomaly and misuse detection approaches, together with a decision support system to combine their results. In the same year, Zhang et al [65] suggested a distributed IDS based on Clustering with unlabeled data. Later in that year, Katti et al [22] presented the first wide-scale study of correlated attacks, and their results showed that collaborating IDSs need to exchange alert information in realtime. Peng et al [41], in 2006, proposed a hybrid ID and visualization system that leverages the advantages of current signaturebased and anomaly detection methods to identify both known and novel attacks. In 2007, Kai Hwang et al [17] proposed a hybrid system that combines the advantages of low FAR of signature-based IDS and the ability of anomaly IDS to detect novel unknown attacks. The hybrid system extracts signatures from the output of anomaly IDS and adds them into the SNORT signature database for fast and accurate ID. Rasoulifard et al [46], in 2008, proposed an incremental hybrid IDS framework that combines incremental misuse detection and incremental anomaly detection. In February 2009, Aydin [3] suggested a hybrid IDS by combining the misuse and anomaly approaches in one system. In February 2009 also, Zhou et al [66] proposed a decentralized, multi-dimensional alert correlation algorithm for CIDSs. A two-stage algorithm, implemented in a fully distributed CIDS, first clusters alerts locally at each IDS, before reporting significant alert patterns to a global correlation stage. Later in the same year, Zhou et al [67] summarized the current research directions in detecting coordinated attacks using CIDSs. In particular, two main challenges in CIDS research: CIDS architectures and alert correlation algorithms are highlighted and analyzed State-of-the-art in Alarm Correlation To address alert correlation challenges, various analysis techniques have been proposed in recent years. Dain and Cunninghan [10], in 2001, proposed an algorithm that generates scenarios by means of the estimation of the probability of a new alert to belong to a certain scenario. Three different approaches are used to estimate this probability are proposed: naive technique, an heuristic technique and data mining techniques. In 2002, Ning and Xu [30] presented an experimental study to adapt main memory index structures and DB query optimization techniques for efficient correlation of intensive alerts. Three techniques were presented: hyper-alert container, twolevel index, and sort correlation. Later at the end of year 2002, Cuppens et al [9] suggested modeling a malicious objective as an attempt to violate a given security requirement. Their proposal is then to extend the definition of attack correlation presented in [8] to correlate attacks with intrusion objectives. For example, to extract attack strategies from intrusion alerts, Ning and Xu [35], in Oct. 2003, developed techniques to measure the similarity between sequences of attacks. In 2004, Noel et al [39] presented the first treatment based on association with network attack graphs (at that time) to construct attack scenario using intrusion event correlation. A probabilistic alert correlation to extract attack strategies is presented by Zhu and Ghorbani [69] in In Feb. 2007, Zhou et al [68] used capability (logical formula) to abstract the logical relation between the alerts in a multistage intrusion. Later in the same year, Valeur et al [57] presented a correlation model that includes a comprehensive set of components, while most approaches to correlation concentrate on just a few components of the process. Sadoddin and Ghorbani [47], in 2008, proposed a framework for real-time alert correlation which incorporates novel techniques for aggregating alerts into structured patterns and incremental mining of frequent structured patterns. 3. IDS Classifications In addition to the detection method, there are other characteristics one can use to classify IDSs, see Fig. 2 [58]. Depending on the information source considered, an IDS may be either host or network-based, as shown in Fig. 2. A host-based IDS analyzes events such as process identifiers and system calls, mainly related to OS information. On the other hand, a network-based IDS analyzes network related events: traffic volume, IP addresses, service ports, protocol usage, etc [51]. This research focuses on network-based IDS. Fig. 2. Characteristics of intrusion detection systems [58]. IDSs can be grouped into two detection principles, namely misuse-based (or signature-based) and anomaly-based IDS Signature-based IDSs Signature-based detection schemes recognize intrusions by matching observed data with pre-defined descriptions of intrusive behavior. Therefore, a signature database corresponding to known attacks is specified a priori [51,55] Anomaly-based IDSs Anomaly ID s strategy is that abnormal behavior is rare and different from normal behavior, and thus tries to model what is 3 Page 3 of 19

5 normal rather than what is anomalous. These detectors generate an anomaly alarm whenever the deviation between a given observation at an instant and the normal behavior exceeds a predefined threshold. Another possibility is to model the abnormal behavior of the system and to raise an alarm when the difference between the observed behavior and the expected one falls below a given limit [51]. Such systems do not need an up to date database of known attacks, and therefore can detect unknown techniques and insider abuses as well [24] Anomaly IDS Classifications Generally speaking, anomaly detection can be either [58]: Static anomaly detection: This assumes that the behavior of monitored targets never changes, such as system call sequences of an Apache service. Dynamic anomaly detection: It extracts patterns (profiles) from behavioral habits of end users, or usage history of networks/hosts. On the other hand, anomaly intrusion detection techniques can be generally classified into three categories according to the nature of the processing involved [14]: Statistical anomaly detection methods: they build two profiles: a normal profile during a training phase and the current profile during the detection phase. They monitor activities, such as CPU usage, number of TCP connections, in terms of statistical distribution. During operation these two profiles are compared, and an anomaly is identified if there is a significant difference between them. One difficulty with these methods is determining what a meaningful activity is. Data-mining-based methods: can automate the process of finding meaningful activities and interesting features. They include classification-based intrusion detection, clustering and outlier detection and associate rule discovery. Generally, they are computational intensive and produce very high false alarm rates (FAR). Machine learning-based methods: System call-based sequence analysis is one of the widely used techniques. Another example is the hidden Markov model (HMM) which is a very powerful tool Specification-based (or Protocol) Anomaly IDSs is a new variant of anomaly detection that is based on protocol standards. Instead of training models on normal behavior, it builds models of TCP/IP protocols using their specifications. Protocols are well defined and thus a normal use model is produced with greater accuracy which depicts the easiness of protocol anomaly detection. Protocols are created with specifications, known as RFCs, to dictate proper use and communication. All connection oriented protocols have states. Certain events must take place at certain times. As a result, many protocol anomaly detectors are built as state machines. Each state corresponds to a part of the connection, such as a server waiting for a response from a client. The transitions between the states describe the legal and expected changes between states. As not all software applications are created with the rule of protocol in mind, then when building a use model one should allow for accepted deviations from the RFCs [11]. The objectives of this approach are to achieve low false positives and high detection rates (DR) as misuse-based, and to detect new attacks as anomaly-based IDSs [15]. Advantages of Protocol Anomaly Detection It is simple, as it is much easier to model the correct use of a protocol than to model its misuse [11]. New protocols and extensions to existing protocols are being developed at a much slower rate in comparison to malicious signatures, which necessitates frequent signature database update. Moreover, protocol anomaly detectors are able to detect most new attacks without being updated because new attacks deviate from protocol specifications. However, new updates can be added easily as new protocol state machines to an IDS [11]. Protocol anomaly detectors differ from traditional IDSs in that they present informative alarms specifying which protocols are violated. It uses fewer rules to detect normal behavior than signature detectors, thus increasing DR and effectiveness. Disadvantages of Protocol Anomaly Detection Difficulty of use: deviation from the use model requires indepth knowledge of protocol design, hence documentation is needed [11]. Some attacks, however, such as viruses, conform to protocol standards and are undetectable by protocol anomaly detectors, e.g. encrypted attacks over the network or those visible only to host-based IDSs [11] Pros and Cons of Misuse-based and Anomaly IDSs Signature and anomaly-based systems are similar in terms of conceptual operation and composition. The main differences between these methodologies are inherent in the concepts of attack and anomaly. An attack is defined as a sequence of operations that puts the security of a system at risk. An anomaly is just an event that is suspicious from the perspective of security. Based on this distinction, the main advantages and disadvantages of each IDS type are [51]: In detecting specified and well-known intrusions, misuse detectors are efficient, reliable and have a very low false alarm rate. Thus providing very precise and detailed information to plan a reaction [24]. For this reason, the approach is widely adopted in the majority of commercial systems. On the other hand, misuse-based IDSs drawbacks are: As new attacks are continuously evolving, misuse detection shows its severe limitation in detecting unknown attacks (the so-called zero-days ) or even intrusions built as minimum variants of already known attacks without known signatures. Reference [58] suggested a solution to regularly update the knowledge base, either manually which is time consuming and laborious, or automatically with the help of supervised learning algorithms. Unfortunately, datasets for this purpose 4 Page 4 of 19

6 are usually expensive to prepare, as they require labeling of each instance in the dataset as normal or abnormal. Evasion techniques are another well-known example of weakness in misuse-based systems [24]. Large number of signatures may detect more attacks, but is not favored as some problems arise: The probability that normal events erroneously classified as attacks will be high [11], and Moreover, each event must be compared against many signatures using computational resources, thus reducing DR and the overall effectiveness [11]. False alarms may origin from poorly formed signatures. Another drawback is the FAR. This can happen primarily because the previously unseen system s behaviors may also be recognized as anomalies [54]. These systems may become a single point of failure [48]. If the IDS is disabled for any reason, then it often gives the attacker the time to compromise the systems and possibly gain a foothold in the network [54]. Furthermore, signature matching performs well only for single-connection attacks, and more attacks involve multiple connections [17,45]. Many anomaly IDSs have been developed based on AI techniques to solve the mentioned problems of misuse-based. Thus, as anomaly detectors build their profiles on normal data only, their main benefit hence lies in detecting unknown attacks and handling multiconnection attacks well [17]. On the contrary, the disadvantages of anomaly IDSs are: Even though the signature specifications in misuse IDSs are likely to be inaccurate, anomaly IDSs usually have higher FAR [3], because the deviation from normal behavior does not always correspond to the occurrence of an attack. Moreover, they give less information. However, its major difficulty lies in discovering boundaries between normal and abnormal behavior, due to the deficiency of abnormal samples in the training phase [58], i.e, it is very hard to define normal behavior [6]. Another difficulty is to adapt to constantly changing normal behavior, especially for dynamic anomaly [58]. Most of the algorithms proposed in the current literature on correlation make use of the matching attack information provided by misuse detectors; therefore, such methods are inapplicable to purely anomaly based IDSs, as these have less information. Hence, alert fusion will be more complex when taking into account anomaly detectors. However, since failures and strengths of anomaly and misuse detection are symmetric, it is reasonable and noteworthy to try to integrate different approaches through an alert fusion process [24]. To conclude this section, neither of the above two detection mechanisms is quite satisfactory. In addition to the above weaknesses, IDS products are subjected to many other problems including alert flooding, too many false positive and false negative alerts, isolated alerts against a series of attacks, blindness to network and hosts they are monitoring, etc. Many of the above weaknesses in traditional IDSs are due to the lack of various collaborations including: (a) collaboration among different detection mechanisms, (b) collaboration between ID and other network management operations, (c) collaboration between detection and other security mechanisms [63]. In order to overcome this deficiency, in this paper, we propose an architecture to enable collaboration among multiple IDSs using distributed intelligent IDSs and AI techniques. 4. Collaborative Intrusion Detection Systems As each IDS implements different detection algorithms and signatures, the combination of complementary IDS is a promising technique that can be used to obtain a more precise and comprehensive view of suspicious network events. Thus, by correlating suspicious evidence and attack signatures from different subnetworks of the Internet, the use of multiple detection technologies in CIDSs is anticipated to provide: different IDSs produce different outputs for an attack [42]; for a given attack, only a limited number of IDSs might be able to detect it [42]; the efficiency of detecting intrusions over the whole Internet is improved [67]; CIDSs have the potential to reduce computational costs by sharing ID resources between networks [67]; the number of false alarms and irrelevant alerts that would be generated by individual IDSs is reduced [67]; the fusion of alarms raised by different IDSs produces more comprehensive information about intrusion attempts than that attained using a single IDS technique. In order to gain an understanding of the intrusions against the protected network, a network administrator needs to correlate the alarms produced by different IDSs to attain a high-level description of the threat and thus the security state of the whole network. Clearly, it is infeasible to manually arrange the huge volume of alarms produced by multiple IDSs [42]. On the other hand, one must take into account the fact that some detection techniques implementation might require more processing power than other techniques. Hence, upon the detection of an event, such slower IDSs may generate their alert after other IDSs. This must be taken into consideration when correlating alerts [2]. Moreover, clock synchronization in various component systems in distributed CIDSs is to be considered [29]. Hence, the conclusion is that the security administrators will not have an accurate view of their network using ID until multiple ID technologies can be correlated and analyzed together [22]. Therefore, the performance of an individual detection engine is rarely satisfactory [3,13]; and thus a collaboration of misuse- and anomaly-based detectors will be used in the proposed model. A CIDS consists of two main functional units [67]: A detection unit: which consists of multiple detection components, where each component monitors its own subnetwork or hosts separately and then generates low-level intrusion alerts. A correlation unit: transforms low-level intrusion alerts into a high level intrusion report of confirmed attacks. 5 Page 5 of 19

7 4.1. Intelligent Intrusion Detection Systems (IIDSs) An IIDS is a system where many Artificial Intelligence (AI) techniques are applied to IDSs (both misuse and anomaly detection) [19]. A collaborative IIDS will be designed and built to have the following characteristics [4,23]: accurate (low false positive and false negative rates) and efficient, flexible, not easily fooled by small variations in intrusion patterns adaptive in new environments modular with both misuse and anomaly detection components, distributed, and real-time Challenges of Collaborative Intrusion Detection CIDSs have the potential to resolve the problems of isolated IDSs, since they are able to identify network wide attacks and reduce false alarms by combining evidence of attacks from multiple networks. However, CIDSs introduce new challenges as follows [67]: System architecture: a CIDS is effectively a distributed intrusion detection system. Therefore, the architecture determines how the alerts from individual detection components are being shared and processed. Where to place the detection unit and correlation unit will affect the scalability and performance of the CIDS. Alert correlation: the main goal of a CIDS is to efficiently detect network wide attacks and reduce irrelevant alarms, which is achieved by alert correlation [28]. It provides the system with automatic analysis of alerts, thus saving a lot of administrative time. How the alerts from individual detection components are correlated determines the detection accuracy of a CIDS. Data privacy: data privacy is an important issue in practice if sensitive information is being shared between different organizations. If appropriate privacy measures are not provided by a CIDS, then the individual participants are unlikely to share their alerts in the first place. Data privacy is outside the scope of this paper. Security and trust: like other distributed systems, security and trust is an important aspect for any CIDS. Since the overall detection accuracy of the CIDS depends on the correctness of the alert information provided by each participating IDS, it is important to verify the trustworthiness of the alerts Open CIDS Research Problems There still remain a number of open problems that need to be addressed in CIDSs [67], such as: Expressiveness: How to balance the trade-off between the expressiveness of the correlation algorithm and the corresponding computational complexity during alert correlation. Scalability: How to remove the need for a central controller, without sacrificing overall performance. Accuracy: How to improve detection accuracy, i.e., how to balance the trade-off between DR and FAR CIDS System architecture Various schemes have been proposed to enable the effective aggregation and correlation of information from individual IDSs in a CIDS. These schemes can be classified into three groups [67]: Fig. 3. Centralized CIDS architecture (Detection Unit is the participating IDS with its own subnetwork) [67] Centralized approaches As shown in Fig. 3, each IDS plays a role as a detection unit in the CIDS, where it produces alerts locally. Then the alerts are reported to a central server that works as a correlation unit for analysis. They are usually suitable for small enterprise scale cooperation, but not for independent IDSs on the Internet. There are two primary shortcomings: The central unit becomes a single point of failure or vulnerability. Hence the correlation process may be completely deactivated if the central server fails. Although individual alerts are usually reduced before being sent to the central correlation unit, the processing capacity of the central node will limit the volume of data it can handle in a given amount of time. Therefore, slow response time or data loss often results when more IDSs join the CIDS or when monitored network is under attack Hierarchical approaches In order to address the scalability problem of the centralized approach, several hierarchical designs have been introduced. In this approach, the entire CIDS is partitioned into multiple small communication groups based on one of the following features: (1) geography, (2) administrative control, (3) collection of similar software platforms, and (4) anticipated types of intrusions. Fig. 4 depicts an overview of the hierarchical approach, where the system is divided into three communication groups. Normally, IDSs in the lowest level work as detection units, and 6 Page 6 of 19

8 Fig. 4. Hierarchical CIDS architecture [67]. their alerts are passed upward for correlation. IDSs in the higher level are equipped with both a detection unit and correlation unit. They correlate alerts from both their own level and their children nodes. Then the correlated alerts are passed upward to a higher level for sharing and further analysis [67]. The hierarchical architectures scale better than the centralized approaches. However, the nodes of the higher levels in the hierarchy still limit the scalability of the CIDS, and their failure can stop the function of their whole subtree. Furthermore, the nodes in the highest level often have limited detection coverage due to the higher level of abstraction of the input data. Fig. 5. Fully distributed CIDS architecture (Detection Unit and Correlation Unit are two separate processes in the participating IDS with its own subnetwork) [66] Fully distributed approaches Fully distributed approaches address the above problems of hierarchical approaches, see Fig. 5, where the information from each IDS is shared and processed in a completely distributed fashion without a centralized coordinator [29,67]. Each participant IDS has two function units: a detection unit that is responsible for collecting data locally; and a correlation unit that is a part of the distributed correlation scheme. The participant IDSs communicate with each other using some form of data distribution protocol, such as peer-to-peer (P2P), gossiping, multicast or publish/subscribe protocol [67]. Limitations of fully distributed approaches This approach addresses the scalability challenge of a CIDS, but there are several open issues: Detection accuracy: An accurate detection decision can be made in a centralized CIDS since all the alert information is available in a central server. On the other hand, in a fully distributed CIDS not all alert information is available at the location where the detection decision is made; hence the same detection accuracy is not guaranteed, and the tradeoff between the DR and FAR needs to be balanced [67]. Scalability: Most fully distributed approaches use a single feature (such as source IP address) to represent the alert information, which is too restrictive to catch the important characteristics of large-scale attacks. Hence, the scalability of more sophisticated alert correlation algorithms needs to be improved [67]. Load balancing: In a fully decentralized CIDS, it is difficult to achieve load balancing across the CIDS. Most distributed CIDSs in the literature use a source address based correlation scheme, which may create a load hotspot. For example, if a single source scans many subnetworks, this can create a flood of evidence to the responsible IDS. A load hot-spot in the CIDS may cause delays in correlation or even information loss. Moreover, an attacker can exploit this vulnerability by launching massive scans to multiple networks from a single source in order to overload the responsible participating IDS, and ultimately disrupt the CIDS [67]. Load balancing is thus essential for workload fairness and system scalability [5]. 5. Alert Correlation 5.1. Introduction Recent research on IDSs has focused on how to handle alarms. Their main objectives were: to reduce the amount of false alarms, to study the cause of these false positives, to create a higher level view or scenario of the attacks, and finally to provide a coherent response to attacks by understanding the relationship between different alarms [70]. Correlation can be understood as the mutual relationship between two or more objects or series of objects. Figure 6 describes the correlation process. Fig. 6. Correlation Process [70]. Alarm correlation approaches can basically be split into two main categories [27,28]: 7 Page 7 of 19

9 Implicit Correlation Implicit alarm correlation uses data-mining paradigms in order to fuse, aggregate and cluster large alert datasets. For example, the approach of Valdes and Skinner [56] is based on the similarity between alert features (e.g., IP address of the victim and attacker). However, these approaches are crucial to facilitate the analysis of the huge number of intrusion alerts, but generally fail to enhance the semantics of the alerts Explicit Correlation Explicit alarm correlation approaches rely on a language which allows security experts to specify logical and temporal constraints between alert patterns in order to recognize complex attack scenarios, which generally require several steps to achieve their ultimate goal. When a complete or a partial intrusion scenario is detected, a higher level alert is generated. For example, Morin and Debar [26] proposed an explicit correlation scheme based on the formalism of chronicles. An extension of explicit alarm correlation approaches, sometimes referred to as semi-explicit correlation, uses the assumption that complex intrusion scenarios are likely to involve attacks whose prerequisites correspond to the consequences of some earlier ones [7,36]. Therefore, semi-explicit correlation consists of associating preconditions and postconditions, represented by first order formulas, with individual attacks or actions. The correlation process receives individual alerts and tries to build alert threads by matching the preconditions of some attacks with the postconditions of some prior ones The Intrusion Detection Message Exchange Format (IDMEF) When analysing the alarms reported, one of the first problems to solve is the diversity of formats used by different vendor products. Therefore, to be capable of correlating alarms, it is necessary to pre-process the messages reported by sensors to a common standard data format, e.g. the IDMEF developed by the Intrusion Detection Working Group (IDWG). The purpose of the IDMEF is to define data formats and exchange procedures for sharing information of interest to ID and response systems, and to the management systems that may need to interact with them [71]. IDMEF is an object oriented representation. The data model is implemented using a Document Type Definition (DTD) to describe XML documents [70] Preprocessing of Alarms Cuppens et al. [8] assume that the formats of reported alerts sent by the different sensors will be compliant with the IDMEF format. Then, the XML document will be automatically translated into a set of facts and logical predicates. The facts are analyzed and then converted into relationships to build a relational database schema. This way, every XML alert message will be converted into a set of tuples that will be instances of the relational database schema. Ning et al. [32] also use logical predicates but they employ them to model the alarms as prerequisites and consequences of attacks. They introduce the idea of hyper-alert to represent the alerts for every type of attack. A hyper-alert consists of a triplet of (fact, prerequisite, consequence). This method of representation is implemented by a DBMS application so that the knowledge base required for the subsequent correlation is obtained. Finally, Julisch [20] models the alarms as tuples over a Cartesian product (a multidimensional space). These dimensions are called alarm attributes. After that, alarm logs are modeled as a set of alarms. At last, generalization hierarchy or taxonomies are obtained. These are element trees within the domain of some given attributes. The taxonomies are created for every given attribute Alarm Analysis Before the correlation stage, some authors merge simple alarms in other higher level ones, thus getting rid of most of the false alarms. Several IDSs may send alarms reporting the same event; therefore, it is convenient to combine them in the same cluster with attributes of similar characteristics. It will be required to define the technique to best obtain this fusion of simple alarms referring to the same event. Valdes and Skinner [56] presented the idea of applying probabilistic similarity measures to the fusion of alerts into meta alerts. At the same time, Debar and Wespi [12] implemented a method to aggregate and correlate alarms to show them in more condensed view. An explicit rules algorithm was used to process the alarms that are logically linked. They called them correlation relationships. On one hand, they look for alarms containing identical attributes, called duplicates, which corresponds to the fusion stage. On the other hand they define the consequences; a set of alerts linked in a certain order. Cuppens et al. [8] employ an expert system where the similarity measures are specified by expert rules. These rules stipulate the similarity relationship between specific attributes of the domain: classification similarity (type of attack), temporal similarity and source and target similarity. After measuring similarity, alert instances are assigned to global alerts (or clusters). A verisimilitude coefficient is given to each cluster. Finally, redundancies are avoided so a specific event emerges just once, even if several alerts have detected it. On one hand, attack source and target are merged and on the other, temporal information. The description of similarity between alarms given by Julisch [21] is based on defined taxonomies. The closest their attributes are within certain taxonomy, the more similar two alarms will be. Thus, alarms are gathered and they are summarised by a general alarm or cluster. To do so, an Attribute-Oriented Induction data mining heuristic algorithm is implemented. As a result, generalised alarms are obtained and this allows discovering the root causes of having those alarms. Removing the causes, Julisch demonstrated that future load of alarms could 8 Page 8 of 19

10 be reduced over a 90%. He points out that intrusion detection alarms are very homogeneous and repetitive. A completely different approach is presented by Ning et al [32] where fusion of alerts is allowed during and after correlation. Continuing with their hyper-alert model, they point out that an alert can be due to a simple alert or to several linked ones. They propose various utilities for the user to be able to accomplish an interactive analysis of alerts. These utilities are aggregation/disaggregation of alerts, focused analysis, analysis of clustering, frequency analysis, link analysis and association analysis. More information about all these utilities can be found in [32] Alarm Correlation IDSs suffer from several limitations [27,43,62] such as: IDSs may flag a large volume of alerts everyday. Almost 99% of IDSs alerts are false positives. IDSs may miss certain attacks. To address these challenges and learn the network security threats, it is necessary to perform alert correlation. Alert correlation focuses on discovering various relationships between individual alerts. Existing alert correlation techniques used by CIDSs can be roughly divided into five categories, in each category, representative approaches are discussed [43,62]: Approaches Based on Similarity between Alert Attributes Similarity based approaches correlate alerts based on the similarity between alert attributes. Each alert usually has several attributes associated with it. Network based IDSs report the attributes of the suspicious event, e.g. source IP address, source port number, destination IP address, destination port number, and timestamps information. A function is usually used to calculate the similarity between two pairs of alerts, and the resulting score determines if these alerts will be correlated. All the alert correlation approaches in this category are effective for clustering similar alerts, and thus can potentially reduce the number of alerts reported to the security officers, because a group of similar alerts may correspond to the same attack or attack trend [43,62]. However, most of these approaches are limited in their ability to discover the causality between temporary related alerts [67]. Probabilistic Alert Correlation In 2001, Valdes and Skinner [56] proposed a probabilistic approach to compute the similarity values among alerts to perform alert correlation from heterogeneous sensors. To compute the similarity among different alerts, they proposed to first identify the common (overlapping) features. Next, they specified expectation of similarity and minimum similarity for the features. In addition, for each feature, a similarity function (with range 0 (mismatch) to 1 (perfect match)) is defined, which will be used to calculate the similarity value for the same feature among different alerts. The overall similarity is a function related to similarity values for individual features, the expectation of similarity for each feature, and the minimum similarity for each feature. This approach was evaluated in a live environment experiment, and IDS sensors reported 4439 alerts, and the approach correlated them into only 604. Alert Clustering and Merging in MIRADOR Project In 2001, Cuppens [7] proposed an approach to manage alerts in an environment with multiple IDSs. In such a cooperation system, different IDSs may flag different alerts, even for the same attack, and possibly with different formats. Thus, Cuppens assumes that alerts should satisfy the requirement from IDMEF [71]. Cuppens alert processing can be broadly divided into three functions: The alert management function stores alerts in a relational database so that they can be more easily analyzed and compared. The alert clustering function analyzes alerts and generates clusters of similar alerts. The alert merging function refines alert clusters by merging alerts to bring out a global (representative) alert which is more informative and accurate. To evaluate the effectiveness of the proposed approach, two IDSs Snort and e-trust were deployed, and 87 attacks were tested. Among them, Snort detected 68 attacks with 264 alerts, and e-trust detected 42 attacks with 61 alerts. Clustering analysis produced 101 clusters and hence 101 global alerts were generated after merging Approaches Based on Predefined Attack Scenarios Attack scenario based approaches correlate alerts based on predefined attack scenarios. These attack scenarios can be users-specified, or learned from training datasets. Most alert correlation approaches in this category are effective in detecting some well-documented attacks, but fail to detect novel attacks. Furthermore, an explicit attack scenario database can be expensive to build [67]. Aggregation and Correlation in IBM/Tivoli Systems In 2001, Debar and Wespi [12] proposed an approach to performing aggregation and correlation to intrusion alerts. Various issues have been discussed, for example, the architecture of combing IDSs with aggregation and correlation components, alert data model, and aggregation and correlation components (ACC). The main functionality of ACC is to group alerts based on predefined relationships between alerts. Alert processing in ACC can be divided into three steps: Alert preprocessing: which provides a unified alert data model for the later correlation and aggregation analysis. Alert correlation: where correlation relationships are used to discover the same attack trend through identifying duplicates and consequences. Consequence relationships are used to model if one security event is the consequence of an earlier event, thus describing an attack scenario. Alert aggregation: that aggregates similar alerts based on the predefined situation criteria. Debar and Wespi conducted experiments to evaluate their techniques and by examining the alert messages as well as 9 Page 9 of 19

11 attribute values, duplicate relationships were identified. Chronicles Based Approach In 2003, Morin and Debar [26] proposed an alert correlation through chronicles formalism. In a dynamic system, chronicles provide a mechanism to model event temporal patterns and monitor the systems evolution. They adapted this technique to monitor security events and perform alert correlation, to mitigate the alert flooding problem. Chronicles can also improve the capability of identifying false or true positives, which may be achieved through examining contextual events (i.e., related events in the event pattern) in the chronicle. Notice that benign events can also be included in chronicle models. Morin and Debar experimentally tested the effectiveness of their approach through some alert logs generated in their networks Approaches Based on Prerequisites and Consequences of Attacks These approaches, also named Multi-stage, address the problem of detecting unknown attacks. They correlate alerts based on causality of earlier and later alerts. This approach tries to reconstruct some complex attack scenarios by linking individual steps that are part of the same attack. That is, they build attack scenarios through matching the consequences of earlier attacks with the prerequisites of later attacks [31,34]. They can potentially discover the causal relationship between alerts. The modeling of prerequisites and consequences can be achieved through first order logic or some attack modeling languages such as LAMBDA [8]. However, they often focus on correlated alerts and ignore others that cannot be correlated. Hence, the false alarms generated in individual IDSs will affect the accuracy of correlation. Furthermore, a complete library of attack steps is expensive to build as there is a huge number of attack types [67]. Pre-condition/Post-condition Based Approach in MIRADOR Project In 2002, Cuppens and Miege [8] proposed an approach that mainly focus on alert correlation from multiple cooperative IDSs, which is a further extension to [7]. They proposed to build attack scenarios based on pre-conditions and postconditions of attacks. Each attack is modeled through attack modeling language LAMBDA. Each precondition/postcondition has a set of predicates to define the condition to be satisfied in order to launch an attack successfully, or the possible effect if the attack succeeds. These predicates specify access privileges of attackers, source and target systems status, and so forth. This paper further proposes to automatically extract correlation rules based on LAMBDA attack specification. Correlation rule generation can be divided into two cases: direct correlation and indirected correlation [8]. After all correlation rules have been derived, alert data are extracted and evaluated based on these rules. A sequence of correlated alerts result in an attack scenario. In addition to alert correlation, Cuppens and Miege also briefly discussed how to deal with false negative problems by using abductive correlation. The basic idea is to hypothesize some virtual alerts based on correlation functions. However, the details on correlation functions performing hypotheses is not clear in this paper. After generating virtual alerts, existing alerts as well as virtual alerts are correlated through the aforementioned correlation techniques. Cuppens and Miege conducted experiments using two IDSs, Snort and e-trust, to evaluate the proposed approach. A Prerequisite and Consequence Based Approach In [33,37], Ning el al., an alert type is a triple (attr, prereq, conseq), where attr is a list of attributes to describe the related attack, prereq is a logical formula to represent the prerequisite, and conseq uses a set of predicates to denote the consequence. After deriving all the instantiated prerequisites and consequences for the given alerts (by replacing their attribute names with their attribute values), alert correlation examines them to see the possible (partial) match. The logical connections between alerts are modeled as prepare-for relations. Based on these prepare-for relations, correlation graphs to model attack scenarios are further defined. The techniques proposed has been implemented and integrated into a Toolkit for Intrusion Alert Analysis (TIAA). Several data sets have been used to test the effectiveness of this correlation method. In addition to attack scenarios, Ning et al. also computed many measures (e.g., FAR and DR) to evaluate their methods. Attack Hypothesizing and Reasoning Techniques Under the framework of prerequisites and consequences based methods [33,37], and to address the problem of false negative, Ning and Xu [38] proposed to hypothesize and reason about missed attacks (or the unknown variations of known attacks). This approach is based on their observation that when some intermediate attacks in a scenario are missed by IDSs, this attack scenario may be split into multiple attack scenarios. However, if the alerts in these multiple scenarios still satisfy certain equality constraints, then the possibly missed attacks may be hypothesized, and their attribute values may be derived. In addition, these hypothesized attacks are validated/invalidated based on the original audit data, and hence invalidated hypotheses are filtered out. Finally, based on the existing alerts as well as hypothesized attacks, the hypothesized attacks are consolidated and concise attack scenarios are constructed. Thus, simply speaking, a series of techniques are proposed in [38], which include attack constraints extraction, attack hypothesizing, attribute inference, hypothesized attack filtering, and hypothesized attack consolidation. The proposed technique has also been implemented and integrated into a Toolkit for Intrusion Alert Analysis (TIAA). Though the proposed techniques attempted to improve IDSs detection results, the actual performance is still limited by the performance of IDSs. In the worst case, if the IDSs miss all attacks, or all alerts are false ones, the proposed techniques will not perform well. Thus, the proposed techniques is expected to generate better results if the performance of 10 Page 10 of 19

12 IDSs is improved Approaches Based on Multiple Information Sources To protect digital assets, it is usually considered good practice to deploy multiple complementary security systems into networks and hosts. These security systems may include firewalls, authentication services, antivirus tools, vulnerability scanners, and IDSs. Generally, different systems have different capabilities, and combing them can potentially provide better protection to networks and hosts.thus, these approaches integrate different types of information and may further perform reasoning based on IDS alerts and other information. The potentially better protection with multiple, heterogeneous security systems also bring challenging problems to security officers. Specifically, as we mentioned earlier, one IDS may report thousands of alerts everyday, and multiple security systems can make this situation much worse. Security officers will be overwhelmed by such a high volume of alerts. In addition, different systems usually run and act independently, and lack of the cooperation among them makes incidents investigation very difficult. In other words, it is quite challenging to perform correlation analysis among tons of security events reported by different systems [43,62]. To address this challenging problem, here are some examples: Mission-Impact-Based Approach In 2002, Porras, Fong, and Valdes [44] proposed a missionimpact-based approach to automate the correlation of alerts from different systems such as firewalls and IDSs. Central to this approach is: two knowledge bases and a sequence of alert processing steps. The two aforementioned knowledge bases are very important to topology vetting. Incident handling fact base is a comprehensive repository including all the necessary information about attacks, vulnerabilities, and so forth. Topology map of the protected networks and hosts includes topological and configuration information about the network. Alert processing steps include: Alert filtering: users choose to subscribe to the alerts that are important to their networks and hosts. Topology vetting: based on knowledge bases, a relevance score is computed for each alert. The score represents the degree of dependency between the incident and related network and host configurations. Priority computation: shows the degree that an incident affects the mission of the networks, considering two factors: the computing resources and data assets, and security incidents. Incident ranking: for each alert, an incident rank is computed to represent the overall impact that the incident brings to target networks, as well as the probability that the incident is successful. Alert clustering analysis: is performed through the clustering policy, similar to those similarity based alert correlation. The proposed techniques was developed as a prototype system Mission Impact Intrusion Report Correlation System (M-Correlator). To test its effectiveness, experiments were conducted in a simulated network, where multiple security systems were deployed. In one of the experiments, 79 alerts were produced by security systems, and after a sequence of processing, only 4 clusters were generated in alert clustering/aggregation. A Data Model M2D2 for Alert Correlation To facilitate alert correlation and threat analysis, Morin et al. [25] proposed a formal data model M2D2 in It is presented using Z and B formal methods. Four types of information are formalized: Information system characteristics: the features of networks and hosts, network topology, and products under monitoring and protection. Vulnerability information: which are specific to certain network and host configurations. Security systems and tools: the focus is on IDSs and vulnerability scanners. IDS detection methods, detection capability, as well as other necessary information may be included. Events, alerts and scans: Events are usually low-level activities observed by systems. Alerts are reported by IDSs, and scans are generated by vulnerability scanners. M2D2 reuses others models, for instance the Vigna s topological model. The first contribution of M2D2 is thus the integration of multiple interesting and relevant concepts into a unified framework. And its second contribution ensures that processing of security information and in particular alert correlation is anchored on a rigorous model representing the information being processed. Triggering Events and Common Resources Based Approach In 2004, Xu and Ning [59] proposed to correlate alerts from multiple security systems through triggering events and input and output resources. This approach can be divided into three steps: alert clustering through triggering events. To perform alert clustering, all the triggering events (which are low-level events that trigger alerts) are discovered for each alert in the data set. Next, the alerts with similar triggering events are grouped, where similar events mean that either events are the same, or one event can imply another. alert severity evaluation through examining if alerts are consistent (or inconsistent) with the corresponding network and host configurations, and attack scenario construction through input and output resources. Intuitively, input resources are the necessary resources to launch an attack successfully, and output resources are the resources that an attack can provide if it succeeds. The proposed techniques were evaluated and in one data set, 529 alerts were generated. Clustering analysis resulted in 512 clusters. The next step of severity evaluation identified several low severity alerts. Finally attack scenario construction brought 10 scenario graphs. 11 Page 11 of 19

13 Approaches Based on Filtering Algorithms Filter based approaches have been proposed to remove the need for a complicated attack step library and to reduce irrelevant alerts. By using a specific filtering algorithms, prospective alerts are prioritized by their criticality to the protected systems. In 2002, Porras, Fong, and Valdes [44] proposed a missionimpact-based approach where a filtering algorithm is used in the alert processing steps (see Section ). Unfortunately, the existing filter based approaches are still at preliminary stage due to [67]: The alert correlation methods used in a CIDS need to be deployed in multiple networks with heterogeneous system configurations. However, the filtering algorithms applied are system specific, i.e., alert verification relies on information about the security configuration of the protected network. Consequently, they are expensive to deploy in comparison to the general approaches that support dynamic mechanisms for alert verification. The detection accuracy of alert correlation depends on detailed description of patterns in the filtering algorithm. Consequently, there is a trade-off between the expressiveness of the filtering algorithm and the corresponding computational complexity involved, which is not addressed in existing research Privacy Issues in Alert Correlation In recent years, the threat from large scale attacks such as worms and distributed denial of service attacks is increasing. To defend against these attacks, it is desirable that different organizations and companies cooperate in sharing attack related data and performing correlation analysis [43,62]. When security data is collected from different companies and organizations, the privacy concerns from those different data owners have to be satisfied before data can be shared. Thus the appropriate data sanitization techniques that can fulfill data owners requirement are necessary. Some efforts to address the privacy issues were to either partially or completely replace IP address by a fixed value [43,62]. Beside privacy concerns from data owners, security analysts are also interested in the utility of sanitized data sets. To be more specific, the correlation analysis of sanitized data sets should still provide useful information to help them understand security threats. However, since data sanitization usually brings negative impact to the later correlation analysis, appropriate techniques that can preserve the utility of sanitized data are equally important [43,62]. To address these challenges, several privacy-preserving alert sharing and correlation techniques have been proposed recently [60,61]. Some examples are: Generalization and Perturbation Based Approaches In 2005 and 2006, Xu and Ning [60,61] proposed the use of concept hierarchies to balance privacy requirements and the need for intrusion analysis. There are two phases in their approach. First, they use entropy guided alert sanitization to generalize sensitive alert attributes to high-level concepts. Then they define similarity functions between sanitized attributes and build attack scenarios from sanitized alerts Research Challenges for Alert Correlation Open issues of existing alert correlation approaches are: How to support increasing levels of expressiveness during correlation, without sacrificing computational efficiency? For example, the similarity based approaches are computationally effective, but they are limited in their ability to discover complicated coordinated attacks due to their lack of alert expressiveness. In contrast, the attack scenario based and multi-stage approaches have sufficient expressiveness to detect complicated coordinated attacks, but their computational complexity and the requirement for complete knowledge of attack behavior make them impractical for use in a large-scale CIDS. The filter based approaches are also expensive to deploy in a large-scale CIDS, since the algorithm needs to be customized to different systems [67]. How to maximize detection accuracy in a CIDS, while minimizing communication and computational overhead? Attack scenario and multi-stage approaches can achieve a high level of accuracy, assuming a complete and updated attack type library is in place, but their intensive computational overhead prevents them from promptly detecting attacks in real time. Similarity based and filter based approaches are computationally efficient, but both have limited accuracy, i.e., similarity based approaches are not able to discover causality between related alerts, and filter based approaches are only able to detect system specific attacks [67]. 6. Computational Intelligence Approaches 6.1. Artificial Neural Networks An ANN consists of a collection of processing units called neurons that are highly interconnected in a given topology. ANNs have the ability of learning-by-example and generalizion from limited, noisy, and incomplete data [58]. Fig. 7. Types of ANNs reviewed [58] Supervised Learning Feed Forward Neural Networks Multi-layered Feed Forward (MLFF) Neural Networks use various learning techniques, the most popular being backpropagation (MLFF-BP). In early development of IDSs, 12 Page 12 of 19

14 MLFF-BP networks were applied primarily to anomaly detection on user behavior level. Later, research interests shifted from user behavior to software behavior described by sequences of system calls. This is because system call sequences are more stable than commands [58]. Radial Basis Function Neural Networks perform classification by measuring distances between inputs and the centers of the RBF hidden neurons. RBF networks are much faster than time consuming back-propagation, and more suitable for problems with large sample size. Comparison between MLFF-BP and RBF networks for misuse and anomaly detection on the KDD99 dataset, showed that for misuse detection, BP has a slightly better performance than RBF in terms of DR and false positive rate, but requires longer training time. For anomaly detection, the RBF network improves performance with a high DR and a low false positive rate, and requires less training time (cutting it down from hours to minutes). All in all, RBF networks achieve better performance. Recurrent Neural network Elman network were initially used for forecasting, where a network predicted the next event in an input sequence. When there is sufficient deviation between a predicted output and an actual event, an alarm is issued [58]. The incorporation of memory in neural networks has led to the invention of recurrent links, hence the name Recurrent Neural Networks (RNN) or Elman network. Cerebellar Model Articulation Controller (CMAC) neural network is another type of recurrent network, which has the capability for incremental learning. It avoids retraining a neural network every time when a new intrusion appears [58] Unsupervised Learning Self-Organizing Maps and Adaptive Resonance Theory are two typical unsupervised neural networks. Similar to statistical clustering algorithms, they group objects by similarity. They are suitable for ID tasks in that normal behavior is densely populated around one or two centers, while abnormal behavior and intrusions appear in sparse regions of the pattern space outside of normal clusters [58]. Self-Organizing Maps (SOM), also known as Kohonen maps, are single-layer feed forward networks where outputs are clustered in a low dimensional (usually 2D or 3D) grid. It preserves topological relationships of input data according to their similarity. SOMs are the most popular neural networks to be trained for anomaly detection tasks. Nevertheless, SOMs have been used in the misuse detection as well, where a SOM functioned as a data pre-processor to cluster input data. Other classification algorithms, such as feed forward neural networks, were then trained on the output from the SOM [58]. Adaptive Resonance Theory embraces a series of neural network models that perform unsupervised or supervised learning, pattern recognition, and prediction. Unsupervised learning models include ART-1, ART-2, ART-3, and Fuzzy ART. Compared with SOMs who cluster data objects based on the absolute distance, ARTs cluster objects based on the relative similarity of input patterns to the weight vector. Fuzzy ART nets combine fuzzy set theory and adaptive resonance theory. This combination is faster and more stable than ART nets alone in responding to arbitrary input sequences [58] Fuzzy Sets Intrusion Detection and Fuzzy Logic Two major reasons to introduce fuzzy logic for ID: First, the ID problem involves many numeric attributes in collected audit data, and various derived statistical measures. Building models directly on numeric data causes high detection errors. For example, an intrusion that deviates only slightly from a model may not be detected or a small change in normal behavior may cause a false alarm [58]. Second, the security itself includes fuzziness. Given a quantitative measurement, a range value or an interval can be used to denote a normal value. Then, any values falling outside the interval will be considered anomalies to the same degree regardless of their different distances to the interval. The same applies to values inside the interval, i.e., all will be viewed normal to the same degree. Unfortunately, this causes an abrupt separation between normality and anomaly. For example, a value inside the border is assumed normal whereas another value outside the border is assumed abnormal even though there is only a very small difference between these two values. The introduction of fuzziness to these quantitative features will help to smooth the abrupt separation and produces more general rules which will increase the flexibility of the IDSs [23,40] The Use of Fuzzy Logic in Misuse Detection Fuzzy misuse detection uses fuzzy models, such as fuzzy rules or fuzzy classifiers to detect various intrusive behaviors. When fuzzy logic was initially introduced to the ID domain, it was integrated with expert systems. Fuzzy rules substituted ordinary rules so as to map knowledge represented in natural language more accurately to computer languages. Fuzzy rules were created by security experts based on their domain knowledge. Due to the rapid development of computational intelligence, approaches with learning and adaptive capabilities have been widely used to automatically construct fuzzy rules. These approaches are artificial neural networks, evolutionary computation, and artificial immune systems. Another application of fuzzy logic is decision fusion, which means that fuzzy logic fuses outputs from different models which are sent to fuzzy inference systems to prepare a final fuzzy decision. Similar fuzzy inference systems were used to combine decisions of multiple decision trees, multiple neuro-fuzzy classifiers, and other models [58]. 13 Page 13 of 19

15 The Use of Fuzzy Logic in Anomaly Detection Fuzzy logic plays an important role in anomaly detection, too. As stated in Section 3.3, a major difficulty of anomaly detectors lies in discovering boundaries between normal and abnormal behavior. This aspect may be solved using fuzzy theory as it has demonstrated its power in managing uncertainties and mimicking the human decision-making process. Fuzzy logic helps smooth the abrupt separation of normal and abnormal data. Recent research interests are to build fuzzy normal behavior profiles with the help of data mining. Fuzzy logic also worked with another popular data mining technique, outlier detection, for anomaly detection. According to the hypothesis of IDSs, malicious behavior is naturally different from normal behavior. Hence, abnormal behavior should be considered as outliers. Fuzzy C-Medoids algorithms and fuzzy C-Means algorithms are two common clustering approaches to identify outliers. Like all clustering techniques, they are affected by the curse of dimensionality, thus suffering performance degradation when confronted with datasets of high dimensionality. Feature selection is therefore a necessary data pre-processing step [58] The Use of Fuzzy Logic in P2P Systems In 2005, Song et al [49] attempted to develop an effective and efficient reputation system based on a fuzzy-logic approach, leveraging the ability of fuzzy logic to handle uncertainty, fuzziness, and incomplete information adaptively. To this end, they first analyzed the data to sort out peers behavioral characteristics. Then they built FuzzyTrust, a prototype P2P reputation system that helps establish mutual trust among peers in P2P applications. Their system uses fuzzy logic inference rules to calculate local trust scores and to aggregate global reputation. This system benefits from the distinct advantages of fuzzy inferences which can handle imprecise linguistic terms effectively. We recommend further research to investigate the applicability of using their idea in our proposed system, in order to establish trust between participating IDSs Evolutionary Computation Evolutionary Computation (EC), a creative process gleaned from evolution in nature, plays various roles in solving intrusion detection problems, such as searching for an optimal solution, automatic model design, and learning for classifiers. In addition, experiments reasserted the effectiveness and accuracy of EC [58]. Evolutionary algorithms, e.g. Genetic Algorithms (GA), are used for automatic model structure design of networks. Evolutionary algorithms can also be used to generate two types of classifiers: classification rules and transformation functions. A classification rule is the rule with an if-then clause, where a rule antecedent (IF part) contains a conjunction of conditions on predicting attributes, and the rule consequent (THEN part) contains the class label. In this sense, evolving classification rules can be regarded as concept learning [58] Artificial Immune Systems Applying theoretical immunology and observed immune functions, its principles, and its models to IDS has gradually developed into a new research field, called artificial immune system (AIS). AIS based IDSs perform anomaly detection. However, instead of building models for the normal, they generate non-self (anomalous) patterns by giving normal data only. Any matching to non-self patterns will be labeled as an anomaly [58]. 7. Soft Computing Soft computing is an innovative approach to construct a computationally intelligent system which parallels the extraordinary ability of the human mind to reason and learn in an environment of uncertainty and imprecision. Typically, soft computing embraces several computational intelligence methodologies, including ANNs, fuzzy logic, EC, probabilistic computing, and recently also subsumed artificial immune systems, belief networks, etc. These members are neither independent nor compete with one another. Rather, they work in a cooperative and complementary way [58]. The synergism of these methods can be tight or loose. Tightly coupled soft computing systems are also known as hybrid systems. In a hybrid system, approaches are mixed in an inseparable manner. Neuro-fuzzy systems, genetic fuzzy systems, genetic-neuro systems and genetic-fuzzy neuro systems are the most visible systems of this type. Comparatively, loosely coupled soft computing systems, or ensemble systems, assemble these approaches together. Each approach can be clearly identified as a module. Soft computing can be used to learn uncertain and imprecise intrusive knowledge: 7.1. Artificial Neural Networks and Fuzzy Systems Artificial neural networks model complex relationships between inputs and outputs and try to find patterns in data. Unfortunately, the output models are often not represented in a comprehensible form, and the output values are always crisp. Fuzzy systems, in contrast, have been proven effective when dealing with imprecision and approximate reasoning. However, determining appropriate membership functions and fuzzy rules is often a trial and error process. The fusion of neural networks and fuzzy logic benefits both sides: neural networks perfectly facilitate the process of automatically developing a fuzzy system by their learning and adaptation ability. This combination is called neuro-fuzzy systems; fuzzy systems make ANNs robust and adaptive by translating a crisp output to a fuzzy one. This combination is called fuzzy neural networks (FNN) [58]. Neuro-fuzzy systems are commonly represented as a multilayer feed forward neural network, as shown in Fig. 8. The neurons in the first layer accept input information. The second layer contains neurons which transform crisp values to fuzzy sets, and output the fuzzy membership degree based on asso- 14 Page 14 of 19

16 ciated fuzzy membership function. Neurons in the third layer represent the antecedent part of a fuzzy rule. Their outputs indicate how well the prerequisites of each fuzzy rule are met. The fourth layer performs defuzzification, and associates an antecedent part with a consequent part of a rule. Sometimes more than one defuzzification layer is used. The learning methods work similarly to that of ANNs. According to the errors between output values and target values, membership functions and weights between reasoning layer and defuzzification layer are adjusted. Through learning, fuzzy rules and membership function will be automatically determined. Intrusion detection systems normally employ neuro-fuzzy systems for classification tasks [58]. Fig. 8. A generic model of a neuro-fuzzy system [58] Evolutionary Computation and Fuzzy Systems As Evolutionary Computation is a paradigm with learning and adaptive capabilities, hence, it became another option for automatically designing and adjusting fuzzy rules. EC approaches, especially GAs and Genetic Programming (GP), can be used to generate crisp rules to classify normal or intrusive behavior. Technically, evolving fuzzy rules is identical as evolving crisp if-then rules, but with two extra steps. The first step is to determine fuzzy sets and corresponding membership functions for continuous attributes before evolution. Since it is difficult to guarantee that a partition of fuzzy sets for each fuzzy variable is complete and well distinguishable, therefore, genetic algorithms have been proven useful at tuning membership functions. The second step is to calculate the compatibility grade of each data instance with fuzzy rules either at the fitness evaluation or detection phase. Possibly the same input data instance will trigger more than one fuzzy rule at the same time. The winner-takes-all approach and majority vote are two commonly used techniques to resolve the conflict. Winner refers to the rule with maximum degree of certainty of this fuzzy if-then rule [58] Role of Ensemble Approaches in Intrusion Detection. The ensemble approach assembles different learning approaches to detect intrusions. Different models provided complementary information about the patterns to be classified. So instead of using one model to classify all classes, they selected the best model for each class, and then combined them in a way that both computational efficiency and detection accuracy can be maximized. For example, using linear genetic program model (LGP) on Probe, DoS and R2L classes, while the fuzzy classifier on the U2R class. Sometimes techniques, such as majority vote or winner-takes-all, will be used to decide the output of an ensemble model when the predictions of different models conflict [58]. 8. Proposed Solution Strategy Fig. 9 shows the components of the proposed architecture which is developed with the IIDSs goals in mind. Fig. 9. A Proposed Architecture of IID Model with Alert Correlation. (A modified version of the architectures proposed in [4,16,23,66]) Components of the Proposed Architecture Intrusion Detection Module: an IIDS consisting of misuse and anomaly-based detection modules. Each IDS has a detection unit that monitors its subnetwork or hosts separately and generates low-level intrusion alerts, and a correlation unit in which alert aggregation is done. Before the aggregation process analysis the alerts, first alerts from multiple IDSs with different output formats need to be converted into a unified standard representation, e.g. IDMEF [71]. Each IDS communicates via a content-based correlation scheme, i.e. a publish-subscribe model for correlation. An IDS reports an alert to CIDS when a possible attack is detected, known as subscription, i.e., registering its interest to confirm a large-scale coordinated attack. If enough subscribed alerts are received, then the CIDS publishes a notification of a confirmed attack [67]. Considering participants are fully trusted, load balancing will be needed, as the correlation load is distributed in a decentralized manner. To route subscribed alerts automatically to the responsible peer for correlation, a P2P content-based routing overlay network is used. 15 Page 15 of 19

17 The alert correlation component: After the alert aggregation process, clean and synthesized alerts containing detailed information from all active IDSs are sent to this component for further analysis. The alerts are then correlated, i.e. logically linked together, using criteria and algorithms based on AI techniques. Cooperation with system audit data or network traffic data is needed. Decision-Making Module: Given observed audit trail, it will decide which ID module to be activated. The known attack signatures for misuse detection are obtained from IDS providers. Each misuse detection unit, first obtains the audit records from traffic data, then consults the attack signature DB in the decision-making module to detect attacks. The unknown (or unmatched) attacks are then sent back to the decision-making module which forwards them to the anomaly detection module. Each anomaly IDS uses training data from normal audit traffic records to detect anomalies, and then consults the signature generator in the decisionmaking module to generate signatures for these detected attacks. Hence, the attack signature DB is updated automatically from the signature generator. A feedback of correlated alerts is also sent from the alert correlation component to the intrusion recognition module through the decision-making module. Communication Module: Bridge between the decisionmaking module and the intrusion recognition module. Intrusion Recognition Module: Observed audit trail or network traffic will be collected and preprocessed, and then sent to the decision-making module for intrusion evaluation. Feedback can be returned to the intrusion recognition module, and alert report is then generated. One drawback in adding more signatures to the IDS database is the increase of false alarms, because those anomaly-induced signatures may not be accurate enough to capture all unique features in unknown attacks [16] The proposed algorithm The proposed method, an extension of [24] work, will use fuzzy logic and other AI techniques and ensemble soft computing approaches to design an algorithm and criteria to correlate anomaly and misuse-based alerts together in a CIID model. Our aim is to reduce FAR while keeping DR high, thus producing an efficient and more flexible IIDS. How to optimize load distribution in a fully decentralized CIDS architecture [66] will also be investigated. Then the proposed solution may be used as a performance metric for the evaluation of fusion systems as well Suggested Datasets to be used in the Proposed Architecture Table 1 Confusion Matrix Class Actual Negative Class (Normal) Actual Positive Class (Attack) Predicted Negative Predicted Positive Class (Normal) True Negative TN False Negative FN Class (Attack) False Positive FP True Positive an artificially collected and generated data, as it is the only dataset freely available containing complete truth files, including attack-free activity for IDS training. A real-life network may also be used, and then the results may be compared with that of the DARPA datasets Performance Evaluation of the Proposed Architecture There are many factors to consider when evaluating IDSs such as speed, cost, effectiveness, ease-of-use, CPU and memory usage, and scalability. The ease-of-use includes user interface, interoperability with other products, reporting capabilities, and investigation capabilities [11]. The effectiveness of an IDS is evaluated by its ability to make correct predictions. According to the real nature of a given event compared to the prediction from the IDS, four possible outcomes are shown in Table 1, known as the confusion matrix. True negatives (TN) as well as true positives (TP) correspond to a correct operation of the IDS; that is, events are successfully labeled as normal and attacks, respectively. False positives (FP) refer to normal events being predicted as attacks; false negatives (FN) are attack events incorrectly predicted as normal events [58]. A high FP rate will seriously affect the performance of the system being detected. A high FN rate will leave the system vulnerable to intrusions. So, both FP and FN rates should be minimized, together with maximizing TP and TN rates [23]. Equations (1) - (6), based on the confusion matrix, Table 1, show a numerical evaluation that applies the following measures to quantify the performance of IDSs [58]: T ruenegativerate(t NR) = also known as Specificity. TP T N T N + F P = no.truealerts no.alerts (1) T P T ruep ositiverate(t P R) = T P + F N = DRorSensitivity = no.detectedattacks no.observableattacks (2) IDS researchers need clearly labeled data where attacks are described in full details, and that is usually very difficult to achieve with real systems for privacy reasons. DARPA 1999 IDS Evaluation dataset will be used for testing, which is 16 F alsealarmrate(f AR) = F P T N + F P = 1 Specificity, (3) Page 16 of 19

18 F alsenegativerate(f NR) = Accuracy = F N T P + F N = 1 Sensitivity. T N + T P T N + T P + F N + F P T P P recision = (6) T P + F P Thus, three metrics are to be used to evaluate the proposed CIDS performance, namely, the intrusion DR, FAR, and Receiver Operating Characteristic (ROC). The ROC curve evaluates the tradeoff between the intrusion DR and the FAR [17]. To better understand the effectiveness of the proposed method, the completeness and soundness of alert correlation has to be examined [33]. The completeness, R c, of alert correlation assesses how well one can correlate related alerts together, while the soundness, R s, evaluates how correctly the alerts are correlated. Thus, their quantitative evaluations are [33]: R c = no.ofcorrectlycorrelatedalerts no.of relatedalerts R s = no.ofcorrectlycorrelatedalerts (8) no.of correlatedalerts False alerts are counted as incorrectly correlated alerts as long as they are correlated. Non-intrusive alerts, which are not attacks, if they are related activities, will be counted as correctly correlated [33]. 9. Conclusion IDSs have played a central role to effectively defend crucial computer networks against attackers. The state-of-the-art in CID research is presented. Recent research revealed the importance of using a combination of both signature- and anomalybased IDSs in a CIID model. CIDSs are classified into different categories based on the system architecture they adopt, and alert correlation algorithms they use. A review of the different alert correlation techniques with some examples from researchers is presented. Alert correlation will, hence, be used to reduce the FAR and thus gives a high DR. Artificial intelligence techniques showed their ability to satisfy the growing demand of reliable and intelligent IDSs. Soft computing exploits tolerance for imprecision, uncertainty, low solution cost, robustness, and partial truth to achieve tractability and better correspondence to reality. Their advantages, therefore, boost the performance of IDSs. Fuzzy logic, on the other hand, helps smooth the abrupt separation of normal and abnormal data and produces more general rules, hence is expected to increase the flexibility and strength of IDSs. Fuzzy logic also proved its applicability in establishing trust between different participants of a peer-to-peer system. Therefore, many classification approaches from artificial intelligence, computational intelligence, or soft computing can be applied to improve detection accuracy, and to reduce false positive errors as well. Thus, by using AI techniques, soft computing and fuzzy logic, a CIID model, with a high DR and a low FAR, is proposed. (4) (5) (7) References [1] Al-Mamory, S. O. & Zhang, H. (Nov. 2008). Intrusion detection alarms reduction using root cause analysis and clustering, Published by Elsevier B.V. Computer Communications 32(2009), pp [2] Autrel, F. & Cuppens, F. (2005). Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts. In Proceedings of the 4th Conference on Security and Network. [3] Aydin, M. A., Zaim, A. H. & Ceylan, K. G. (Feb. 2009). A hybrid intrusion detection system design for computer network security, Published by Elsevier Ltd. Computers and Electrical Engineering 35 (2009), pp [4] Bridges, S. M. & Vaughn, R. B. (June, 2000). Intrusion detection via fuzzy data mining, Accepted for Presentation at The Twelfth Annual Canadian Information Technology Security Symposium June 19-23, 2000, The Ottawa Congress Centre. [5] Cai, M. & Hwang, K. (Sept. 2006). Distributed Aggregation Schemes for Scalable Peer-to-Peer and Grid Computing, IEEE Transactions on Parallel and Distributed Systems (TPDS). [6] Chandola, V., Banerjee, A. & Kumar, V. (July 2009). Anomaly Detection: A Survey, ACM Computing Surveys, Vol. 41, No. 3, Article 15. [7] Cuppens, F. (December 2001). Managing alerts in a multi-intrusion detection environment, in: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001). [8] Cuppens, F. & Miege, A. (May 2002). Alert correlation in a cooperative intrusion detection framework, In Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society, 2002, Berkeley, California, USA, 2002, pp [9] Cuppens, F., Autrel, F., Miege, A. & Benferhat, S. (December 2002). Recognizing Malicious Intention in an Intrusion Detection Process. In Second International Conference on Hybrid Intelligent Systems, Santiago, Chili. Special session: Hybrid Intelligent Systems for Intrusion Detection. [10] Dain, O. & Cunningham, R.K. (2001). Fusing a Heterogeneous Alert Stream into Scenarios, In Proceedings of the ACM CCS Workshop on Data Mining for Security Applications. Barbar and Jajodia, USA, [11] Das, Kumar. (Aug. 2001). Protocol anomaly detection for networkbased intrusion detection, GSEC Practical Assignment Version 1.2f, SANS Institute [12] Debar, H. & Wespi, A. (2001). Aggregration and Correlation of Intrusion- Detection Alerts, Proceedings of the 4th International Symposium on Recent Advances in Intrusion detection (RAID), Springer Verlang, California, USA, pp [13] Depren, O., Topallar, M., Anarim, E. & Ciliz, M. K. (May, 2005). An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks, Published by Elsevier Ltd. Expert Systems with Applications 29 (2005), pp [14] Hoang, X. D., Hu, J. & Bertok, P. (May 2009). A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference, Journal of Network and Computer Applications 32(2009), pp [15] Hussein, M. & Zulkernine, M. (Sep. 2006). Intrusion detection aware component-based systems: A specification-based framework, School of Computing, Queen s University, Kingston, Ont., Canada K7L 3N6, 27. Published by Elsevier Inc. The Journal of Systems and Software 80 (2007), pp [16] Hwang, K., Liu, H. & Chen, Y. (November 2004). Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems. [17] Hwang, K., Cai, M., Chen, Y. & Qin, M. (January-March 2007). Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Transactions on Dependable and Secure Computing, Vol. 4, No. 1. [18] Jan, N. Y., Lin, S. C., Tseng, S. S. & Lin, N. P. (2009). A decision support system for constructing an alert classification model, Published by Elsevier Ltd. Expert Systems with Applications 36(2009), pp [19] Jansen, W. (March 2009). Directions in security metrics research, National Institute of Standards and Technology (NIST). 17 Page 17 of 19

19 [20] Julisch, K. (December 2001). Mining Alarm Clusters to Improve Alarm Handling Efficiency. In 17th Annual Computer Security Applications Conference (ACSAC), pages [21] Julisch, K. & Dacier, M. (July 2002). Mining intrusion detection alarms for actionable knowledge, In The 8th ACM International Conference on Knowledge Discovery and Data Mining. [22] Katti, S., Krishnamurthy, B. & Katabi, D. (October 2005). Collaborating Against Common Enemies, USENIX Association. Internet Measurement Conference 2005, pp [23] Luo, J. Integrating fuzzy logic with data mining methods for intrusion detection, MSc. Thesis, Mississippi State University, Department of Computer Science. August, [24] Maggi, F., Matteucci, M. & Zanero, S. (Feb. 2009). Reducing false positives in anomaly detectors through fuzzy alert aggregation, Published by Elsevier B.V. Information Fusion 10(2009), pp [25] Morin, B., Me, L., Debar, H. & Ducasse, M. (2002). M2D2: A formal data model for IDS alert correlation, In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages [26] Morin, B. & Debar, H. (September 2003). Correlation of intrusion symptoms: an application of chronicles, in: G. Vigna, E. Jonsson, C. Krgel (Eds.), Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID2003), Lecture Notes in Computer Science, vol. 2820, Springer, 2003, pp [27] Morin, B., Me, L., Debar, H. & Ducasse, M. (January 2008). M4D4: a Logical Framework to Support Alert Correlation in Intrusion Detection, Published by Elsevier Ltd. [28] Morin, B., M, L., Debar, H. & Ducass, M. (Oct. 2009). A logic-based model to support alert correlation in intrusion detection, Published by Elsevier B.V. Information Fusion 10 (2009), pp [29] Ning, P., Jajodia, S. & Wang, X. S. (Nov. 2001). Abstraction-based Intrusion Detection in Distributed Environments, CM Trans. on Information and System Security (TISSEC), 4(4): pp [30] Ning, P. & Xu, D. (2002). Adapting query optimization techniques for efficient intrusion alert correlation, Technical report, NCSU, Department of Computer Science. [31] Ning, P., Reeves, D. S. & Cui, Y. (2002). An Intrusion Alert Correlator based on Prerequisites of Intrusions. Technical Report TR , North Carolina State University, Department of Computer Science. [32] Ning, P., Cui, Y., & Reeves, D. S. (October 2002). Analyzing Intensive Intrusion Alerts Via Correlation, Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Springer Verlang, Zurich, Switzerland, pp [33] Ning, P., Cui, Y. & Reeves, D.S. (November 2002). Constructing attack scenarios through correlation of intrusion alerts, In Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., pp [34] Ning, P., Cui, Y., Reeves, D. S. & Xu, D. (September 2003). Towards Automating Intrusion Alert Analysis. in 2003 Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection. [35] Ning, P. & Xu, D. (October 2003). Learning attack stratagies from intrusion alerts, In Proceedings of the 10th ACM Conference on Computer and Communications Security. [36] Ning, P., Xu, D., Healey, C.G. & Amant, R.S. (Feburary 2004). Building attack scenarios through integration of complementary alert correlation methods, in: 11th Annual Network and Distributed System Security Symposium. [37] Ning, P., Cui, Y., Reeves, D.S. & Xu, D. (May 2004). Tools and techniques for analyzing intrusion alerts, ACM Transactions on Information and System Security, 7(2), pp [38] Ning, P. & Xu, D. (November 2004). Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM Transactions on Information and System Security, 7(4), pp [39] Noel, S., Robertson, E. & Jajodia, S. (2004). Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances, 20th Annual Computer Security Applications Conference (ACSAC 04), pp [40] Ozyer, T., Alhajj, R. & Barker, K. (June 2005). Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening, Published by Elsevier Ltd. Journal of Network and Computer Applications 30 (2007), pp [41] Peng, J., Feng, C. & Rozenblit, J.W. (2006). A Hybrid Intrusion Detection and Visualization System. In: Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems, pp [42] Perdisci, R., Giacinto, G. & Roli, F. (March 2006). Alarm clustering for intrusion detection systems in computer networks, Published by Elsevier Ltd. Engineering Applications of Artificial Intelligence 19 (2006), pp [43] Pietro, R. D. & Mancini, L. V. (2008). Intrusion Detection Systems, Handbook of Advances in Information Security, series editor: Sushil Jajodia, ISBN , e-isbn: , Springer, [44] Porras, P.A., Fong, M.W. & Valdes, A. (2002). A mission-impactbased approach to INFOSEC alarm correlation, In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages [45] Pushparaj, R. & Bhuvana, S. (2008). Cooperative Intrusion Detection for Detecting Novel Attacks Using RealTime Data Mining Approach, Proceedings of ICSTC, 2008, pp [46] Rasoulifard, A., Bafghi, A. G. & Kahani, M. (2008). Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers. Advances in Computer Science and Engineering, 13th International CSI Computer Conference, CSICC 2008 Kish Island, Iran, March 9-11, Revised Selected Papers Series: Communications in Computer and Information Science, Vol. 6 - Springer, H. Sarbazi-Azad, B. Parhami, S.-G. Miremadi and S. Hessabi (Eds.) 2009, XXI, 1017 p., ISBN: [47] Sadoddin, R. & Ghorbani, A. A. (2008). An incremental frequent structure mining framework for real-time alert correlation, Published by Elsevier Ltd. Computers Security 28 (2009), pp [48] Shon, T., Kovah, X. & Moon, J. (2006). Applying genetic algorithm for classifying anomalous TCP/IP packets, Neurocomputing 69 (2006), pp [49] Song, S., Hwang, K., Zhou, R. & Kwok, Y. K. (Nov.-Dec. 2005). Trusted P2P Transactions with Fuzzy Reputation Aggregation, Published by the IEEE Computer Society, IEEE Internet Computing, pp [50] Spathoulas, G. P. & Katsikas, S. K. (2009). Reducing false positives in intrusion detection systems, (Accepted for publication), Published by Elsevier Ltd. Computer Security., to be published. [51] Teodoro, P. G., Verdejo, J. D., Fernandez, G. M. & Vazquez, E. (Aug. 2008). Anomaly-based network intrusion detection: Techniques, systems and challenges, Published by Elsevier Ltd. Computers Security 28 (2009), pp [52] Tong, X., Wang, Z. & Yu, H. (October 2009). A research using hybrid RBF/Elman neural networks for intrusion detection system secure model, Computer Physics Communications 180 (2009), pp [53] Toosi, A. N. & Kahani, M. (May, 2007). A new approach to intrusion detection based on an evolutionary soft computing model using neurofuzzy classifiers, Published by Elsevier B.V. Computer Communications 30 (2007), pp [54] Tsai, C. F. & Lin, C. Y. (May, 2009). A triangle area based nearest neighbors approach to intrusion detection, (Accepted for publication), Published by Elsevier Ltd. Pattern Recognition, to be published. [55] Tsai, C. F., Hsu, Y. F., Lin, C.Y. & Lin, W.Y. (May, 2009). Intrusion detection by machine learning: A review, (Accepted for publication), Published by Elsevier Ltd. Expert Systems with Applications, to be published. [56] Valdes, A. & Skinner, K. (2001). Probabilistic alert correlation, In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages [57] Valeur, F., Vigna, G., Kruegel, C. & Kemmerer, R. A. (July-September 2004). A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 3. [58] Wu, S. X. & Banzhaf, W. (January, 2010). The Use of Computational Intelligence in Intrusion Detection Systems: A Review, Published by Elsevier Ltd. Applied Soft Computing Journal 10 (2010), pp Page 18 of 19

20 [59] Xu, D. & Ning, P. (December 2004). Alert correlation through triggering events and common resources, In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 04). [60] Xu, D. & Ning, P. (December 2005). Privacy-preserving alert correlation: A concept hierarchy based approach, In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 05). [61] Xu, D. & Ning, P. (August 2006). A flexible approach to intrusion alert anonymization and correlation, In Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006). [62] Xu, D. & Ning, P. (2008). Correlation analysis of intrusion alerts, in Roberto Di Pietro, Luigi V.Mancini eds. Intrusion Detection Systems, Advances in Information Security, Vol. 38, pages 65-92, ISBN , Springer, [63] Yu, J., Reddy, Y. V. R., Selliah, S., Reddy, S., Bharadwaj, V. & Kankanahalli, S. (May, 2005). TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation, Published by Elsevier Ltd. Advanced Engineering Informatics 19 (2005), pp [64] Zhai, Y., Ning, P., Iyer, P. & Reeves, D.S. (December 2004). Reasoning about complementary intrusion evidence, In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 04). [65] Zhang, Y. F., Xiong, Z. Y. & Wang, X. Q. (August 2005). Distributed Intrusion Detection based on Clustring, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics, Guangzhou. [66] Zhou, C. V., Leckie, C. & Karunasekera, S. (Feb. 2009). Decentralized multidimensional alert correlation for collaborative intrusion detection, Published by Elsevier Ltd. Journal of Network and Computer Applications 32 (2009), pp [67] Zhou, C. V., Leckie, C. & Karunasekera, S. (June, 2009). A survey of coordinated attacks and collaborative intrusion detection, (Accepted for publication), Published by Elsevier Ltd. Computer Security, pp. 1-17, to be published. [68] Zhou, J., Heckman, M., Reynolds, B., Carlson, A. & Bishop, M. (February 2007). Modeling Network Intrusion Detection Alerts for Correlation, ACM Transactions on Information and System Security, Vol. 10, No. 1, Article 4. [69] Zhu, B. & Ghorbani, A. A. (Nov. 2006). Alert Correlation for Extracting Attack Strategies, International Journal of Network Security, Vol.3, No.3, pp [70] Zurutuza, U. & Uribeetxeberria, R. (December 2004). Intrusion Detection Alarm Correlation: A Survey, In Proceedings of the IADAT International Conference on Telecommunications and Computer Networks (TCN 04), Donostia, Spain. [71] Intrusion detection message exchange message format (IDMEF), Izzeldin Mohammed Osman received his BSc in Electrical Engineering from the University of Khartoum, in Then he got his MSc in Computer Science from Bradford University, U.K in 1969 and his PhD in Computer Science from Durham University, U.K in He taught Computer Science at Temple University, Philadelphia, PA, and became full Professor of Computer Science at California State University at Hayward. Afterwards he taught at the University of Khartoum, and then became Vice-Chancellor for Sudan University of Science and Technology (SUST). He is currently a Professor of Computer Science at SUST. His current research interests and publications are in the areas of database management, information security, biometrics and e- learning. Dr. Izzeldin Osman is a professional member of the ACM since He is a member of many UN forums including the Council of the UNESCO Information for All Program. Huwaida Tagelsir Elshoush received her BSc in 1994, and MSc in 2001 in Computer Science from the University of Khartoum, Sudan. MSc dissertation was in Frame Relay Security. At present, she is a Lecturer at the Computer Science department, University of Khartoum. She is currently a PhD student in the department of Computer Science in the same university (from September 2009). Her research interests include Network Intrusion Detection, Artificial Intelligence, Data Mining and Machine Learning and Information Security. 19 Page 19 of 19