You are here: Home Contents V12 N1 V12N1_Dave.html
Personal tools

Application Profiling based on Attack Alert Aggregation



Full text

Journal of Information System Security
Volume 12, Number 1 (2016)
Pages 2744
ISSN 1551-0123
Shalvi Dave — Indus University, India
Bhushan Trivedi — GLSICT, India
Jimit Mahadevia — Elitecore Technologies, India
Information Institute Publishing, Washington DC, USA




Any Intrusion Detection/Prevention system‘s (IDPS) pre-requisite is a set of defined and tested rules. The Rule set determines the kind of attacks that the IDPS detects and prevents. The rules may be stored in a database, as a pattern, as a regular expression or simply in a flat file format. IDPS matches any incoming or outgoing packet against the pre-defined rules for attack detection and prevention. The detection log is stored for preventive actions.

In this paper, we present a new approach to aggregate alerts considering attack direction, application and type of application. We have formulated an algorithm to tokenize and filter the Rule set of an IDPS. This algorithm generates a rule-classifier file, which contains the unique identifier of the rule obtained from pre-defined IDPS rules and a direction field to classify the attack as a client-side or server-side. Using this rule-classifier file, we then classify any attack as Client-Side or Server-Side Inbound / Outbound attack. This classification helps us to aggregate attack log that further helps the administrator to take precise preventive action.




Rule Set, Tokenize Algorithm, Inbound Attacks, Outbound Attacks




Alsubhi, K., Al-Shaer, E., Boutaba, R. (2008). Alert prioritization in Intrusion Detection Systems, Network Operations and Management Symposium, 2008. NOMS 2008. IEEE, vol., no., pp.33, 40, 7-11 April 2008.

Anitha, N., Anitha, S., Anitha, B. (2012). A Heuristic approach for alert aggregation in intrusion detection system, Journal of Computer Applications, Vol-5, Issue 3, 2012.

Autrel, F. and Cuppens, F. (2005). Using an intrusion detection alert similarity operator to aggregate and fuse alerts. The 4th Conference on Security and Network Architecture. Bat sur Mer, France.

Cheng-Yuan Ho, Yuan-Cheng L., I-Wei Chen, Fu-Yu Wang, Wei-Hsuan Tai (2012). Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems, Communications Magazine, IEEE, vol.50, no.3, pp.146-154, March 2012.

Cuppens, F. (2001). Managing Alerts in a Multi-Intrusion Detection Environment, Proc. 17th Ann. Computer Security Applications Conf. (ACSAC ‘01), pp. 22-31, 2001.

Dave, S., Mahadevia, J., Trivedi, B. (2011). Application Aware Event Logger, International Journal of Computing, Vol-1, Issue-2, April 2011, pg-201-208.

Dave, S., Mahadevia, J., Trivedi, B. (2012). Windows Based Application Aware Network Interceptor, International Journal of Enterprise Computing and Business Systems, Vol 2, Issue 1, Jan 2012.

Dave, S., Trivedi, B., Trivedi, D. (2011). Simulation of Security Agent Using Anomaly Based Detection and VLAN Steering, 2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011).

Debar, H., Wespi, A. (2000). Aggregation and correlation of intrusion detection alerts, ACM dl, RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pg 85-103, Springer-Verlag, London.

Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivastava, J., Kumar, V., Dokas, P. (2004). The MINDS— Minnesota Intrusion Detection System, Next Generation. Data Mining, MIT Press, 2004.

Hofmann, H., Sick, B. (2001). Online Intrusion Alert Aggregation with Generative Data Stream Modeling, IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 2, pp. 282-294, March-April 2011.

Hwang, K., Cai, M., Chen, Y., and Qin, M. (2007). Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 1, pp. 41-55, Jan.-March 2007.

Julisch, K. (2003). Using Root Cause Analysis to Handle Intrusion Detection Alarms, PhD dissertation, Universitat Dortmund, 2003.

Kompella, R., R., Singh, S., Varghese, G. (2007). On Scalable Attack Detection in the Network, IEEE/ACM Transactions on Networking, vol.15, no.1, pp.14-25, Feb.2007.

Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J. (2003). A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. Proc. Third SIAM Conf. Data Mining, 2003,

Lee, W., Stolfo, S. J., Mok, K. (2000). Adaptive Intrusion Detection: A Data Mining Approach, Artificial Intelligence Review, vol. 14, no. 6,pp. 533-567, Kluwer Academic Publishers, Dec. 2000.

Lee W. and Stolfo, S. (2000). A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Trans. Information and System Security (TISSec).

Qin, M. and Hwang, K. (2004). Frequent Episode Rules for Internet Traffic Analysis and Anomaly Detection. Proc. IEEE Network Computing and Applications (NAC ‘04), Sept. 2004.

Valeur, F., Vigna, G., Krügel, C., and Kemmerer, R. A. (2004). A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004.