An efficient intrusion alerts miner for forensics readiness in high speed networks

Aymen Akremi, Hassen Sallay, Mohsen Rouached

Research output: Contribution to journalArticle

3 Citations (Scopus)

Abstract

Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95%) and accuracy up to (97%). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.

Original languageEnglish
Pages (from-to)62-78
Number of pages17
JournalInternational Journal of Information Security and Privacy
Volume8
Issue number1
DOIs
Publication statusPublished - Jan 1 2014

Fingerprint

HIgh speed networks
Miners
Web services
Association rules
Intrusion detection
Service oriented architecture (SOA)
Information management
Classifiers
Data storage equipment

Keywords

  • Big data
  • Data mining
  • Forensics readiness
  • High Speed Network
  • Intrusion alert
  • Web services

ASJC Scopus subject areas

  • Information Systems

Cite this

An efficient intrusion alerts miner for forensics readiness in high speed networks. / Akremi, Aymen; Sallay, Hassen; Rouached, Mohsen.

In: International Journal of Information Security and Privacy, Vol. 8, No. 1, 01.01.2014, p. 62-78.

Research output: Contribution to journalArticle

@article{bbecf2dca2a848c18c0cc361e621e1fe,
title = "An efficient intrusion alerts miner for forensics readiness in high speed networks",
abstract = "Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95{\%}) and accuracy up to (97{\%}). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.",
keywords = "Big data, Data mining, Forensics readiness, High Speed Network, Intrusion alert, Web services",
author = "Aymen Akremi and Hassen Sallay and Mohsen Rouached",
year = "2014",
month = "1",
day = "1",
doi = "10.4018/ijisp.2014010104",
language = "English",
volume = "8",
pages = "62--78",
journal = "International Journal of Information Security and Privacy",
issn = "1930-1650",
publisher = "IGI Global Publishing",
number = "1",

}

TY - JOUR

T1 - An efficient intrusion alerts miner for forensics readiness in high speed networks

AU - Akremi, Aymen

AU - Sallay, Hassen

AU - Rouached, Mohsen

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95%) and accuracy up to (97%). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.

AB - Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95%) and accuracy up to (97%). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.

KW - Big data

KW - Data mining

KW - Forensics readiness

KW - High Speed Network

KW - Intrusion alert

KW - Web services

UR - http://www.scopus.com/inward/record.url?scp=84928032060&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84928032060&partnerID=8YFLogxK

U2 - 10.4018/ijisp.2014010104

DO - 10.4018/ijisp.2014010104

M3 - Article

VL - 8

SP - 62

EP - 78

JO - International Journal of Information Security and Privacy

JF - International Journal of Information Security and Privacy

SN - 1930-1650

IS - 1

ER -