An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity.

Jiaxuan Sun,Lize Gu,Kaiyuan Chen

doi:10.3390/e22030324

Jiaxuan Sun, Lize Gu + Show 1 more

Open Access

https://doi.org/10.3390/e22030324

Copy DOI

Journal: Entropy	Publication Date: Mar 12, 2020
Citations: 13	License type: CC BY 4.0

Affiliation: Beijing University of Posts and Telecommunications

Abstract

With the emergence of network security issues, various security devices that generate a large number of logs and alerts are widely used. This paper proposes an alert aggregation scheme that is based on conditional rough entropy and knowledge granularity to solve the problem of repetitive and redundant alert information in network security devices. Firstly, we use conditional rough entropy and knowledge granularity to determine the attribute weights. This method can determine the different important attributes and their weights for different types of attacks. We can calculate the similarity value of two alerts by weighting based on the results of attribute weighting. Subsequently, the sliding time window method is used to aggregate the alerts whose similarity value is larger than a threshold, which is set to reduce the redundant alerts. Finally, the proposed scheme is applied to the CIC-IDS 2018 dataset and the DARPA 98 dataset. The experimental results show that this method can effectively reduce the redundant alerts and improve the efficiency of data processing, thus providing accurate and concise data for the next stage of alert fusion and analysis.

Highlights

With the continuous development of computer network technology, people are becoming increasingly dependent on the convenience of the Internet
We propose a method of attribute selection and attribute weight determination based on conditional rough entropy and knowledge granularity, which can find the difference of attributes in different attack scenarios better and improve the efficiency of alert aggregation
We propose an attribute weight calculation method that us based on attack classification to conduct a targeted analysis of attack events and apply this method to historical data to obtain important attribute weights for different attack classifications while combining conditional rough entropy and knowledge granularity

Summary

Introduction

With the continuous development of computer network technology, people are becoming increasingly dependent on the convenience of the Internet. A large number of different network security technologies have been used widely, such as the intrusion detection system (IDS), firewall, vulnerability scanner, etc., in order to protect devices on the Internet from illegal intrusion. Detection assumes that the activity of an intruder is different from that of a normal user. The data to be detected are compared with the normal behavior model. The goal of the system is to detect whether the user’s behavior conforms to the defined abnormal behavior [2]. This method can detect the existing intrusion methods, but cannot do anything about new ones. Intrusion detection systems can be divided into network-based intrusion detection systems (NIDS) [3] and host-based

Objectives

Methods

Results

Conclusion