Statistical analysis of Snort alarms for a medium-sized network
Full text | |||
Source | Journal of Information Systems Security Volume 7, Number 3 (2011)
Pages 17–31
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Kitti Chantawut — University of Plymouth, UK
Bogdan Ghita — University of Plymouth, UK
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
Statistical analysis of network intrusions has been an active topic for researches for many years. However, due to the complexity and security concerns associated with the Internet, this area of research remains challenging, from the monitored networks and methodology used to the focus of the analysis and presentation of the results. This paper aims to provide additional insight into this area by analysing a set of IDS alarms collected over a period of three months from the external interface of the edge router at the University of Plymouth. The motivation of this study is to quantitatively classify and understand the nature of current Internet threats, as observed at a medium stub network, leading to long-term analysis of trends and recurring patterns of attacks. In the study, fundamental features of intrusions activities are investigated through a number of characteristics, from the daily volume of intrusion attempts to the source/destination of the intrusion attempts as well as the specific attack type. The results of the study show high levels and wide variety of intrusion attempts. It also shows that the attacks reflect daily timescales and the on/off patterns exhibit recurrence of correlated behaviours. Furthermore, the Slammer worm appears to feature on the Internet long after its original release. Deeper investigation reveals that the sources of attacks spread uniformly, apart from a large proportion of intrusions generated by a small number of IP addresses located in China.
Keywords
Trend Analysis, Intrusion Detection System, Snort, Slammer
References
Hideshima, Y. and Koike, H. (2006). STARMINE : A Visualization System for Cyber Attacks. In Proc. Asia Pacific Symposium on Information Visualisation (APVIS2006), Tokyo, Japan. CRPIT, 60. MISUE, K., SUGIYAMA, K. and TANAKA, J., Eds. ACS, pp. 131-138.
Jouni, V., Herv, D., Ludovic, M., Anssi, L. & Mika, T. (2009) Processing intrusion detection alert aggregates with time series modeling. Information Fusion, 10, pp. 312-324.
Kim, D., Lee, T., Jung, D., In, P. H., Lee, H. J. (2007) Cyber Threat Trend Analysis Model Using HMM. Information Assurance and Security, International Symposium on, The Third International Symposium on Information Assurance and Security.
Koukis, D., Et Al., (2006) A Generic Anonymyzation Framework for Network Traffic. Communications, 2006. ICC '06. , 5, pp. 2302-2309.
NIST/SEMATECH (2006) e-Handbook of Statistical Methods. The National Institute of Standards and Technology (NIST), http://www.itl.nist.gov/div898/handbook/eda/section3/eda35c.htm
Wu, Q., Shao, Z (2005) Network Anomaly Detection Using Time Series Analysis. Proceedings of the Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services. IEEE Computer Society.
Yegneswaran, V., Barford, P., Ullrich, J. (2003) Internet intrusions: global characteristics and prevalence. Proceedings of the 2003 ACM SIGMETRICS international Conference on Measurement and Modeling of Computer Systems. San Diego, CA, USA, ACM.