Recent and emerging cyber-threats have justified the need to keep improving the network security technologies such as Intrusion Detection Systems (IDSs) to keep it abreast with the rapidly evolving technologies subsequently creating diverse security challenges. A post-processing filter is required to reduce false positives and large number of alerts generated by network-based IDSs for the timely detection of intrusions. This paper investigates statistical-based detection approach for volume anomaly such as Distributed Denial-of-Service (DDoS) attacks, through the use of multi-agent framework that hunt for time-correlated abnormalities in different behaviours of network event. Employing statistical process-behaviour charts of Exponentially Weighted Moving Average (EWMA) one-step-ahead forecasting technique, the framework correlates undesirable deviations in order to identify abnormal patterns and raise alarm. This paper provides the architecture and mathematical foundation of the proposed framework prototype, describing the specific implementation and testing of the approach based on a network log generated from a 2012 cyber range simulation experiment as well as the DARPA 2000 datasets. Its effectiveness in detecting time-correlated anomaly alerts, reducing the number of alerts and false positive alarms from the IDS output is evaluated in this paper.
Weitere Kapitel dieses Buchs durch Wischen aufrufen
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
- Multi-Agent based Framework for Time-correlated Alert Detection of Volume Attacks
- Springer Berlin Heidelberg
Neuer Inhalt/© ITandMEDIA, Product Lifecycle Management/© Eisenhans | vege | Fotolia