Research Student Profile

Home People Profile...

Dr Gina C Tjhai PhD

Research Student

Brief biographical information

Access thesis on-line

Anomaly-Based Correlation of IDS Alarms

An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure.

The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge.

The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison.

The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field.

Dr Gina C Tjhai

Director of studies: Prof Steven M Furnell
Other supervisors: Dr Maria Papadaki, Dr Nathan L Clarke

Journal papers

A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm
Tjhai GC, Furnell SM, Papadaki M, Clarke NL
Computers & Security, Volume 29, Issue 6, pp712-723 , 2010
More details | External link available

1 Journal papers

Conference papers

The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset
Tjhai GC, Papadaki M, Furnell SM, Clarke NL
Lecture Notes in Computer Science, Volume 5185/2008, ISBN: 978-3-540-85734-1, pp139-150, 2008
More details | External link available

Investigating the problem of IDS false alarms: An experimental study using Snort
Tjhai GC, Papadaki M, Furnell SM, Clarke NL
Proceeding of the 23rd International Information Security Conference (SEC 2008), Milan, Italy, 8-10 September, pp253-267, 2008
More details

2 Conference papers

Internal publications

Strengthening the Human Firewall
Tjhai GC, Furnell SM
Advances in Network & Communication Engineering 4, ISBN: 978-1-84102-180-5, pp222-230, 2007
Can be ordered on-line.
More details | Download PDF

Comprehensive approaches of intrusion detection in handling false alarm issue
Tjhai GC
Proceedings of the Third Collaborative Research Symposium on Security, E-learning, Internet and Networking (SEIN 2007), Plymouth, UK, ISBN: 978-1-8410-2173-7, pp53-66, 2007
Can be ordered on-line.
More details | Download PDF

2 Internal publications

Technical articles

An unsupervised IDS False Alarm Reduction System – SMART
Tjhai GC, Papadaki M
Hakin9 IT Security Magazine, Starter Kit Vol 2 Iss 1, ISSN 1896-9801, pp 24-28, 2011
More details | External link available

1 Technical articles

6 publication(s) - all categories.