An IDS Alerts Preprocessing Method Based on Information Entropy

doi:10.3969/j.issn.1006-2475.2020.05.019

Abstract

Abstract: Focus on the issue for the large number of repeated alerts, high false alert rate, and low alert quality of the current intrusion detection system, an IDS alerts preprocessing method based on information entropy is proposed to reduce false alerts, aggregate similar alerts, and generate super alerts that represent the intent of a single step attack. First, the feature extraction of the IDS alerts are performed. The information entropy fusion result of the four characteristics of the alert density, the alert period value, the source IP address corresponding destination IP address numbers, and the attack source threat degree indicates the amount of feature information that an alert has. By calculating the Rainey information entropy with the feature vector of the false alert, the false alert is recognized and removed. Then, the alerts that the false alerts have been removed are classified into two types according to the IP correspondence: one type of source IP address corresponding to one destination IP address and one source IP address corresponding to multiple destination IP addresses. The two types of alert features are counted separately, and the 5-dimensional feature information entropy vectors are constructed. The DBSCAN algorithm is used to cluster the alerts with the same or similar information. Finally, the dynamic time windows are divided for each category of alerts, and the super alerts that represent the intention of single-step attacks are constructed. The experimental results show that the alerts preprocessing method based on information entropy has a false alert reduction rate of 87.43% and an alert aggregation rate of 98.63%, which has a good false alert reduction effect and a high alert aggregation rate.

Key words: intrusion detection system, false alerts reduction, alerts aggregation, Rainey information entropy, clustering

CLC Number:

TP393.08

ZHANG Yu1,2, GUO Chun1,2, SHEN Guo-wei1,2, PING Yuan3. An IDS Alerts Preprocessing Method Based on Information Entropy[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2020.05.019.

References ［25］

［1］	李祉岐,黄金垒,王义功,等. 入侵告警信息聚合与关联技术综述［J］. 计算机应用与软件, 2019,36(4):286-294.
［2］	胥小波,蒋琴琴,郑康锋,等. 基于混沌粒子群的IDS告警聚类算法［J］. 通信学报, 2013,34(3):105-110.
［3］	胡亮,解男男,努尔布力,等. 基于智能规划的多步攻击场景识别算法［J］. 电子学报, 2013,41(9):1753-1759.
［4］	解男男. 机器学习方法在入侵检测中的应用研究［D］. 长春:吉林大学, 2015.
［5］	李思达. IDS告警信息关联分析系统的研究与实现［D］. 北京:北京邮电大学, 2018.
［6］	努尔布力,解男男,陈飞彦,等. 一种基于条件随机场的入侵检测误报滤除方法［J］. 中国科技论文, 2012,7(10):757-761.
［7］	〖JP+2〗NJOGU H W, LUO J W, KIERE J N. Network specific vulnerability based alert reduction approach［J］. Security and Communication Networks, 2013,6(1):15-27.
［8］	〖JP+2〗VALDES A, SKINNER K. Probabilistic alert correlation［M］// International Workshop on Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2001:54-68.
［9］	黄林,吴志杰,黄晓芳,等. 一种改进的多源异构告警聚合方案［J］. 计算机应用研究, 2014,31(2):579-582.
［10］	李洪成,吴晓平. 基于自扩展时间窗的告警多级聚合与关联方法［J］. 工程科学与技术, 2017,49(1):206-212.
［11］	GHASEMIGOL M, GHAEMI-BAFGHI A. E-correlator: An entropy-based alert correlation system［J］. Security and Communication Networks, 2015,8(5):822-836.
［12］	LIANG W, CHEN Z, WEN Y, et al. An alert fusion method based on grey relation and attribute similarity correlation［J］. International Journal of Online and Biomedical Engineering, 2016,12(8):25-30.
［13］	AHMED T, SIRAJ M M, ZAINAL A, et al. A taxonomy on intrusion alert aggregation techniques［C］// Proceedings of the 2014 International Symposium on Biometrics and Security Technologies. 2014:244-249.
［14］	〖KG-*3〗〖JP2〗DEALVARENGA S C, BARBON JR S, MIANI R S, et al. Process mining and hierarchical clustering to help intrusion alert visualization［J］. Computers & Security, 2018,73:474-491.
［15］	郭春. 基于数据挖掘的网络入侵检测关键技术研究［D］. 北京:北京邮电大学, 2014.
［16］	LU X G, DU X H, WANG W J. An alert aggregation algorithm based on k-means and genetic algorithm［C］// Proceedings of the 2nd International Conference on Artificial Intelligence Applications and Technologies. 2018, DOI: 10.1088/1757-899X/435/1/012031.
［17］	白鹏翔,张清华,段富,等基于模糊规则的免疫算法在网络入侵中的应用［J］.计算机工程与设计, 2015,36(12):3246-3249.
［18］	OLABELURIN A, VELURU S, HEALING A, et al. Entropy clustering approach for improving forecasting in DDoS attacks［C］// Proceedings of the 2015 IEEE 12th International Conference on Networking, Sensing and Control. 2015:315-320.
［19］	THATTE G, MITRA U, HEIDEMANN J. Parametric methods for anomaly detection in aggregate traffic［J］. IEEE/ACM Transactions on Networking, 2011,19(2):512-525.
［20］	夏秦,王志文,卢柯. 入侵检测系统利用信息熵检测网络攻击的方法［J］. 西安交通大学学报, 2013,47(2):14-19.
［21］	刘威歆,郑康锋,武斌,等. 基于攻击图的多源告警关联分析方法［J］. 通信学报, 2015,36(9):135-144.
［22］	RAMAKI A A, AMINI M, ATANI R E. RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection［J］. Computers & Security, 2015,49:206-219.
［23］	朱梦影. 入侵检测系统报警关联技术研究［D］. 沈阳:沈阳航空航天大学, 2014.
［24］	牛国林,管晓宏,龙毅,等. 多源流量特征分析方法及其在异常检测中的应用［J］. 解放军理工大学学报(自然科学版), 2009,10(4):350-355.
［25］	MIT Lincoln Laboratory. 2000 DARPA Intrusion Detection Scenario Specific Datasets［DB/OL］. (2000-07-20)［2019-09-16］. http://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets.

[1]	DENG Bin-tao, XU Sheng-chao. A Differential Evolution K-mediods Clustering Algorithm Based on Dynamic Gemini Population [J]. Computer and Modernization, 2021, 0(07): 54-59.
[2]	ZHANG Su-ning, WANG Yue-juan, WU Shui-ming, JING Dong-sheng. Network Intrusion Data Clustering Algorithm Based on Krylov Subspace [J]. Computer and Modernization, 2019, 0(10): 121-.
[3]	YANG Weiyong1, HE Jun2, ZHENG Shengjun3，ZHANG Xudong4. An Outlier Detection Algorithm for Subspace Clustering [J]. Computer and Modernization, 2015, 0(12): 39-.
[4]	LI Lian;ZHU Ai-hong. Data Fusion of Intrusion Detection in Cloud Computing [J]. Computer and Modernization, 2013, 1(9): 179-182.
[5]	REN Bing-zhong;KONG Wen-huan. Design and Realization of Dynamic Rule Sets of Snort Based on Threshold of Statistics [J]. Computer and Modernization, 2012, 198(2): 165-167.
[6]	LI Xue-bao. Research on False Positive Rate of Intrusion Detection System Based on Danger Theory [J]. Computer and Modernization, 2011, 1(2): 41-43.
[7]	CHEN Si;XU Su;JI Jia-qi. pplication Research on Data Mining Technique on Intrusion Detection System [J]. Computer and Modernization, 2009, 5(5): 114-0.