The invention relates to a method of automatically classifying alerts issued by intrusion detection sensors.
The security of information systems relies on the deployment of intrusion detection systems (IDS) including intrusion detection sensors that send alerts to alert management systems
Intrusion detection sensors are active components of the intrusion detector system that analyze one or more sources of data for events characteristic of an intrusive activity, and they send alerts to an alert management system that centralizes the alerts from the various sensors and optionally analyzes all the alerts.
Intrusion detection sensors generate a very large number of alerts, possibly several thousand alerts a day, as a function of the configuration and the environment.
The surplus alerts may result from a combination of several phenomena. First of all, false alerts represent up to 90% of the total number of alerts. Secondly, it is often the case that alerts are too “granular”, i.e. that their semantic content is highly impoverished. Finally, alerts are often repetitive and redundant.
To facilitate analysis by a security operator, it is therefore necessary to process alerts upstream of the management system in order to correlate them, i.e. reduce the overall quantity of alerts and simultaneously improve their semantic content. This can be achieved by unsupervised classification of alerts.
The objective of unsupervised classification of alerts is to divide the alert space into a plurality of classes taking account of variables that characterize them.
In the present field of application, the alerts that are classified are described by variables that are essentially qualitative and structured.
The qualitative and structured variables belong to discrete domains, each of which presents partial order.
Classifying qualitative structured variables is known as conceptual classification.
One conceptual classification method is proposed by R. S. Michalsky and R. E. Stepp in their paper “Learning from Observation: Conceptual Clustering” published in “Machine Learning: An Artificial Intelligence Approach” in 1993.
That method takes a data set and constructs a conceptual hierarchy “downwards”, dividing a complete data set into separate classes.
Because it divides the data set and is incapable of integrating a new item of data without being reinitialized, the Michalsky method is unsuited to classifying alerts.
Because there can be several new alerts per second, alert databases are highly dynamic.
D. H. Fisher proposes another conceptual classification method in a Ph.D. thesis “Knowledge Acquisition via Incremental Conceptual Clustering”, Department of Information and Computer Science, University of California, 1987.
The Fisher method is an incremental conceptual classification method that does not require prior knowledge of the required number of classes. In contrast, this method is applied to nominal variables.
Other methods derived from the Fisher method process structured data. The structure of the hierarchy obtained by those methods depends greatly on the order of insertion of the data. Moreover, the Fisher approach divides up the data set.
Manganaris et al., in a paper entitled “A Data Mining Analysis of RTID Alarms” given at the 2nd International Workshop on Recent Advances in Intrusion Detection 1999, propose modeling a tolerated behavior of an information system using alerts supplied by intrusion detector tools. The use of intrusion detection systems (IDS) in an operational environment shows that the less frequent alerts are generally the more suspect ones.
According to that model, repetitive alerts are considered to be either false alerts caused by normal behavior of information system entities that appears intrusive from the IDS point of view or failures of those entities.
K. Julisch proposes another method of classifying alerts in a paper “Mining Alarm Clusters to Improve Alarm Handling Efficiency”, Proceedings of the 17th ACSAC, 2001. That method generalizes alerts to highlight groups of alerts that are more pertinent than each alert considered individually.
The method used by Julisch is a modification of a method proposed by Han et al. in “Exploration of the Power of Attribute-Oriented Induction in Data-Mining, AAAI Press” in “Advances in Knowledge Discovery and Data Mining”, MIT Press, 1996.
Briefly, the Han method generalizes structured variables. The domain of each variable has partial order represented by a tree hierarchy, the level of abstraction or generalization whereof increases from the leaves of the hierarchy to its summit.
The Hall method is iterative. Each iteration chooses an attribute and generalizes the attribute of each individual as a function of the associated hierarchy. Variables that are equal after generalization are merged. The overall number of variables therefore decreases on each iteration. The process stops when the number of variables falls below a given threshold.
That criterion for stopping the process is not satisfactory since it is not possible to know a priori how many groups of alerts it is desirable to present to the security operator. Moreover, the generalized alerts obtained may be overgeneralized and of limited interest. The difficulty of that approach therefore consists in finding a good compromise between greatly reducing the number of alerts and maintaining their pertinence.
The modification introduced by Julisch consists in removing from the set of alerts subjected to the generalization process any generalized alerts for which the number of underlying alert instances exceeds a given threshold.
To avoid overgeneralization, generalization of the remaining generalized alerts is cancelled and the process iterated using another attribute.
The drawback of that method is that it is unable to identify pertinent generalizations that might have arisen if the alerts supplied to the security operator had been retained for subsequent generalizations. Moreover, the nature of the generalized alerts obtained depends on the order of the attributes, which is based on heuristics.
Finally, the Julisch method is not incremental and the generalization process must be reinitialized on each request from the security operator.