Detecting Abnormal Network Traffic in the Secure Event Management Systems

A. Abd Elmomen, A. Bahaa El Din, A. Wahdan
2011 International Conference on Aerospace Sciences and Aviation Technology  
State-of-the-art intrusion detection and monitoring systems produce hundreds or even thousands of events every day. Unfortunately, most of these events are false positives, or irrelevant and can be considered as background noise, which makes their correlation, analysis and investigation very complicated and resource consuming. This paper attempts to simulate the modeling of background noise using the non-stationary time series analysis with lag smoothing Kalman filter. Then introduce and
more » ... a second technique applying a multilayered perceptron neural network with back propagation network; an approach that is used for the first time in modeling and correlating the background noise. DARPA Dataset is used to analyze and compare both techniques and finally a verification experiment is conducted using a gathered dataset from real network environment. The internet has become now the most commonly used means of communication among companies, business partners, and end users. Therefore, most organizations put their critical resources online, which increase cyber crime, attacks, and malicious activities. Despite, the importance of firewalls and antivirus applications, these tools are not sufficient to protect data from network attacks. Since most attacks evolve from inside the network, event management and intrusion detection systems (IDSs) are necessary as a complementary solution. IDSs and monitoring systems produce hundreds or even thousands of events every day [1], most of those alerts are false positive or irrelevant [2, 3] . So correlation of such events is required in order to reduce the huge amount of alerts as well as predict the high-level-structured network threats. Alert correlation process has three major phases: alert collection, alert aggregation and verification then finally the high-level alert structures [4] . Each phase has a specific role in alert reduction. We notice that the alert verification component in the second phase reduces the highest number of alerts. Due to the existence of false and irrelevant positives, those types of alerts may contain interesting traffic that needs more investigation. This research focuses on the alert verification component by modeling and analyzing the background noise and therefore detecting any irregular traffic. Those anomalies may be a new type of attack, an
doi:10.21608/asat.2011.23416 fatcat:ruiwszgblnf3nljcwlmtxd643e