TIAA: A Toolkit for Intrusion Alert Analysis

Abstract

Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs) are usually considered to be the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional IDSs have two major limitations. First, they usually focus on low-level attacks or anomalies, and raise alerts independently, although there may be logical connections between them. Second, in a typical environment there are a lot of false alerts reported by traditional IDSs, which are mixed with true alerts. Thus, the intrusion analysts or the system administrators are often overwhelmed by the volume of alerts.

To address the aforementioned problems and thus to improve the usability of the current IDSs, the Toolkit for Intrusion Alert Analysis (TIAA) [17] is developed. The primary goal of TIAA is to provide system support for interactive analysis of intrusion alerts reported by traditional IDSs. TIAA is based on the alert correlation techniques previously developed in [16] and [15]. In addition, several new utilities are developed to facilitate the analysis of potentially large sets of intrusion alerts. More specifically, these new utilities include alert aggregation/disaggregation, clustering analysis, frequency analysis, link analysis, and association analysis. Finally, TIAA includes two additional visual representations of analysis results besides the hyper-alert correlation graphs proposed in [16], making it easier for a human analyst to understand the analysis results. It is envisaged that a human analyst and TIAA form a man-machine team, with TIAA performing automated tasks such as intrusion alert correlation and execution of analysis utilities, and the human analyst deciding what sets of alerts to analyze and how the analysis utilities are applied.

This thesis presents the implementation of TIAA, including several analysis utilities, an improved alert collection system, and an integrated analysis environment with a user-friendly graphical user interface (GUI). This thesis also reports several experiments that evaluate the TIAA system using DARPA 2000 datasets and Cyber Panel Grand Challenge Problem datasets. The experimental results show that the TIAA system can greatly improve the analysis of intrusion alerts, and can cooperate with general underlying IDSs.