International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 52

Alert Correlations in Intrusion Detection systems

P.Sai Prasad[1]

J.KrishnaVeni [2]

1. Asst. Professor,Dept. of CSE, Sanjeevani College of Engineering, Kopargaon, Shiridi

2. HOD, Dept. of IT,VivekanandaInstitute of Technology and Science, Karimnagar

ABSTRACT

Wireless sensors usage is drastically improved in the world, to provide the security was tedious task

due to lot of constraints. The sensor networks has the challenges to overcome the problems of energy, memory

usage and computation power finally quality assurance issues. So privacy preservation is scheme to provide the

security to the sensor networks we are adding some more enhanced parameters like identity routing, location,

identity etc. by this will achieve reliability and cost worthiness .

Keywords: privacy; routing; wireless sensor networks, IRLScheme, network model

I. INTRODUCTION

An intrusion detection system (IDS) is a

device or software application that monitors

network or system activities for malicious

activities or policy violations and produces

reports to a Management Station. Some systems

may attempt to stop an intrusion attempt but this

is neither required nor expected of a monitoring

system. Intrusion detection and prevention

systems (IDPS) are primarily focused on

identifying possible incidents, logging

information about them, and reporting attempts.

In addition, organizations use IDPSes for other

purposes, such as identifying problems with

security policies, documenting existing threats

and deterring individuals from violating security

policies. IDPSes have become a necessary

addition to the security infrastructure of nearly

every organization.[1]

IDPSes typically record information related to

observed events, notify security administrators

of important observed events, and produce

reports. Many IDPSes can also respond to a

detected threat by attempting to prevent it from

succeeding. They use several response

techniques, which involve the IDPS stopping the

attack itself, changing the security environment

(e.g. reconfiguring a firewall), or changing the

attack's content.[1]

II. TYPES OF IDS

For the purpose of dealing with IT, there are

three main types of IDS:

1. Network intrusion detection

system (NIDS)

Nids is an independent platform that identifies

intrusions by examining network traffic and

monitors multiple hosts, developed in 1986 by

Pete R. Network intrusion detection systems

gain access to network traffic by connecting to

a network hub, network switch configured

for port mirroring, or network tap. In a NIDS,

sensors are located at choke points in the

network to be monitored, often in

the demilitarized zone (DMZ) or at network

borders. Sensors capture all network traffic and

analyzes the content of individual packets for

malicious traffic. An example of a NIDS

is Snort.

2. Host-based intrusion detection

system (HIDS)

It consists of an agent on a host that identifies

intrusions by analyzing system calls, application

logs, file-system modifications (binaries,

password files, capability databases, Access

control lists, etc.) and other host activities and

state. In a HIDS, sensors usually consist of

a software agent. Some application-based IDS

are also part of this category. Examples of HIDS

are Tripwireand OSSEC.

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 53

3. Stack-based intrusion detection

system (SIDS)

This type of system consists of an evolution to

the HIDS systems. The packets are examined as

they go through the TCP/IP stack and, therefore,

it is not necessary for them to work with the

network interface in promiscuous mode. This

fact makes its implementation to be dependent

on the Operating System that is being used.

Intrusion detection systems can also be system-

specific using custom tools and honey pots.

Privacy Schemes

A number of a privacy schemes [1, 3–7] have

been proposed for WSNs that arediscussed

below. phantom routing scheme for WSNs,

which helps to prevent the location of a source

from the attacker. In this scheme, each message

reaches the destination in two phases: 1)

awalking phase, in which the message is

unicasted in a random fashion within first hwalk

hops, 2) afterthat, the message is flooded using

the baseline flooding technique. The major

advantage of their scheme

is the source location privacy protection, which

improves as the network size and intensity

increase because of high path diversity. But on

the other hand, if the network size increases, the

flooding phase will consume more energy. This

scheme does not provide identity privacy. Also,

it is unable to provide data secrecy in the

presence of identity privacy.

P. Kamat et al. [4] proposed a phantom single-

path routing scheme that works in a similar

fashion as the original phantom routing scheme

[3]. The major difference between these two

schemes is that after the walking phase, a packet

will be forwarded to the destination via a single

path routing strategy such as the shortest path

routing mechanism. This scheme consumes less

energy and requires slightly higher memory as

compared to first one. This scheme also does not

provide identity privacy. Also, it is unable to

provide data secrecy in the presence of identity

privacy.

S. Misra and G. Xue [5] proposed two schemes:

Simple Anonymity Scheme (SAS) and

Cryptographic Anonymity Scheme (CAS) for

establishing anonymity in clustered WSNs. The

SAS scheme use dynamic pseudonyms instead

of true identity during communications. Each

sensor node needs to store a given range of

pseudonyms that are non-contiguous.

Therefore, the SAS scheme is not memory

efficient. On the other hand, the CAS scheme

uses keyed hash functions to generate

pseudonyms. This scheme is memory efficient

as compare to the SAS but it requires more

computation power. The authors do not propose

any routing scheme. Sender node may always

send packets to the destination via shortest path.

In that case, for an adversary who is capable of

performing hop-by-hop trace back (with the help

of direction information) can find out the

location of the source node.

Y. Xi et al. [1] proposed a Greedy Random

Walk (GROW) scheme to protect the location of

the source node. This scheme works in two

phases. In a first phase, the sink node will set up

a path through random walk with a node as a

receptor. Then the source node will forward the

packets towards the receptor in a random walk

manner. Once the packet reaches at the receptor,

it will forward the packet to the sink

III. Wireless Sensor Networks

(WSNs)

Network level privacy has often been

categorized into four categories:

1. Sender node identity privacy: no intermediate

node can get any information about who is

sending the packets except the source, its

immediate neighbors and the destination,

2. Sender node location privacy: no intermediate

node can have any information about the

location (in terms of physical distance or number

of hops) about the sender node except the

source, its immediate neighbors and the

destination,

3. Route privacy: no node can predict the

information about the complete path (from

source to destination). Also, a mobile adversary

gets no clue to trace back the source node either

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 54

from the contents and/or directional information

of the captured packet(s)

4. Data packet privacy: no node can see the

information inside in a payload of the data

packet except the source and the destination.

Existing privacy schemes such as [1, 3–7], that

have specifically been proposed for WSNs only

provide partial network level privacy. Providing

a full network level privacy is a critical and

challenging issue due to the constraints imposed

by the sensor nodes (e.g., energy, memory and

computation power), sensor network (e.g.,

mobility and topology) and QoS issues (e.g.,

packet reach-ability and trustworthiness). Thus,

an energy-efficient privacy solution is needed to

address these issues.

In order to achieve this goal, we

incorporate basic design features from related

research fields such as geographic routing and

cryptographic systems. To our knowledge, we

propose the first full network level privacy

solution for WSNs. Our contribution lies in

following features. A new Identity, Route and

Location (IRL) privacy algorithm is proposed

that ensures the anonymity of source node’s

identity and location. It also assures that the

packets will reach their destination by passing

through only trusted intermediate nodes.

• A new reliable Identity, Route and Location (r-

IRL) privacy algorithm is proposed, which is the

extension of our proposed IRL algorithm. This

algorithm has the ability to forward packets from

multiple secure paths to increase the packet

reach-ability.

Fig.1. Three sample cycle detection and

prevention scenarios.

A. Network Model

A wireless sensor network (WSN) is composed

of large number of small sensor nodes that are of

limited resource and densely deployed in an

environment. Whenever end users require

information about any event related to some

object(s), they send a query to the sensor

network via the base station.. And the base

station propagates that query to the entire

network or to a specific region of the network.

In response to that query, sensor nodes send

back required information to the base station. A

typical wireless sensor network scenario is

shown in Figure 1. Links are bidirectional. Also,

sensor nodes use IEEE 802.11 standard link

layer protocol, which keeps packets in its cache

until the sender receives an acknowledgment

(ACK). Whenever a receiver (next hop) node

successfully receives the packet it will send back

an ACK packet to the sender. If the sender node

does not receive an ACK packet during

predefined threshold time, then the sender node

will retransmit that For reason of scalability, it

is assumed that no sensor node needs to know

the global network topology, except that it must

know the geographical location of its own, its

neighboring nodes and the base station.[16]

This paper only focuses on the

development of a prevention strategy against

network level privacy disclosure attacks, such as

eavesdropping, traffic analysis and hop-by-hop

trace back attacks. Other general attacks, such as

flooding attacks, could be detected and

prevented by using any IDS scheme proposed

for WSNS.

B. Identity, Route, and Location Privacy

(IRL)

Our proposed identity, route and location

privacy scheme works in two phases. The first is

neighbor node state initialization phase, and the

second is routing phase.

Route Privacy: In initialization phase, let the

node i have m neighboring nodes in which t

nodes are trusted. So, 0 ≤ t ≤ m and M(t) = M(tF

) ∪ M(tBr ) ∪ M(tBl) ∪ M(tBm). Here M(tF ),

M(tBr ), M(tBl), and M(tBm) represent the set of

trusted nodes that are in the forward, right

backward, left backward, and middle backward

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 55

directions, respectively. These neighbor sets

(M(tF ), M(tBr ), M(tBl), and M(tBm)) are

initialized and updated whenever a change occur

in neighborhood. For example, the entrance of a

new node, change of a trust value, etc.

Whenever a node needs to forward a

packet, the routing phase (Algorithm 1 for

source node and Algorithm 2 for intermediate

node) of IRL algorithm is called.

Whenever a source node (Algorithm 1)

wants to forwards the packet, it will first check

the availability of the trusted neighboring nodes

in its forward direction setM(tF ) (Line 2). If

trusted nodes exists then it will randomly select

one node as a next hop (Line 3) from the

setM(tF ) and forward the packet towards it

(Lines 13:21). If there is no trusted node in its

forward direction, then the source node will

check the availability of a trusted node in the

right (M(tBr )) and left (M(tBl)) backward sets.

If the trusted nodes are available then the source

node will randomly select one node as a next

hop (Line 3) from these sets and forward the

packet towards it (Lines 13:21). If the trusted

node does not exist in these sets either, then the

source node will randomly select (Line 8) one

trusted node from the backward middle set

(M(tBm)) and forward the packet towards it

(Lines 13:21). If there are no trusted nodes

available in

all of the sets then the packet will be dropped

(Line 9:10).

Algorithm 1 IRL - Routing at Source Node.

1: prevhop ← ∅ ; nexthop ← ∅ ;

2: if M(tF ) = ∅ then

3: nexthop(k) = Rand(M(tF ));

4: else

5: if M(tBr ) ∪M(tBl) = ∅ then

6: nexthop(k) = Rand(M(tBr ) ∪M(tBl));

7: else if M(tBm) = ∅ then

8: nexthop(k) = Rand(M(tBm));

9: else

10: Drop packet and Exit;

11: end if

12: end if

13: Set prevhop = myid;

14: Form pkt p = {prevhop; nexthop; seqID;

payload};

15: Create Signature and save in buffer;

16: Forward packet to nexthop;

17: Set timer Δt = D dnexthop

× pt;

18: while Δt = true do

19: Signature remains in buffer;

20: end while

21: Signature removed from buffer;

IRL scheme.

This routing strategy may result in the creation

of a cycle (loop). However, due to the

randomness in the selection of the next-hop and

the presence of the different four direction sets,

the probability of creation of any cycle is very

low. Nevertheless, in order to fully avoid the

occurrence of the cycles, each node (prior to

forwarding of a packet) will save the signature

of the packet in the buffer for the δt time, that is

δt = 2(Dd× pt)

where D is the distance between the forwarding

node and the base station, d is the distance

between the forwarding node and the next hop,

and pt is the propagation transfer time between

the forwarding node and the next hop. This

signature consists of two fields: (1) sequence

number of the packet, and (2) the payload. The

potential of the signature to compare and

identify the same packet is detailed in the later

section. Corresponding to this signature, three

more fields are also stored in the buffer: (1)

previous hop identity, (2) next hop identity

where the packet is forwarded, and (3) counter,

that tells how many times the same packet is

received by the node. This information will later

be used to get rid of any cycle. The size of the

buffer is mainly dependent on the network

traffic conditions. However, it is expected

to be low due because the sensor nodes sent data

either in periodic intervals or upon the

occurrence of some event.

IV. CORRELATION PROCESS

The main objective of the correlation process is

to produce a succinct overview of security-

related activity on the network. This process

consists of a collection of components

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 56

that transform intrusion detection sensor alerts

into intrusion reports. Because alerts can refer to

different kinds of attacks at different levels of

granularity, the correlation process cannot treat

all alerts equally. Instead, it is necessary to

provide a set of components that focus on

different aspects of the overall correlation task.

a graphical representation of the integrated

correlation process that we implemented. The

first two tasks are performed on all alerts. In the

initial phase, a normalization component

translates every alert that is received into a

standardized format that is understood by all

correlation components. This is necessary

because alerts from different sensors can be

encoded in different formats.

Next, a preprocessing component

augments the normalized alerts so that all

required alert attributes (such as start-time,end-

time, source, and target of the attack) are

assigned meaningful values. The next four

correlation components of our framework all

operate on single, or closely related, events.

The fusion component is responsible for

combining alerts that represent the independent

detection of th same attack instanceby different

intrusion detection systems. The task of the

verification component is to take a single alert

and determine the success of the attack that

corresponds to this alert. The idea is that alerts

that correspond to failed attacks should be

appropriately tagged and their influence on the

correlation process should be decreased. The

task of the thread reconstruction component is to

combine a series of alerts that refer to attacks

launched by a single attacker against a single

target. The attack session reconstruction

component associates network-based alerts with

host-based alerts that are related to the same

attack. The next two components in our

framework operate on alerts that involve a

potentially large number of different hosts. The

focus recognition component has the task of

identifying hosts that are either the source or the

target of a substantial number of attacks. This is

used to identify denial-of-service (DoS) attacks

or port scanning attempts. The multistep

correlation component has the task of

identifying common attack patterns such as

island-hopping attacks.

These patterns are composed of a sequence of

individual attacks, which can occur at different

points in the network.

The final components of the correlation process

contextualize the alerts with respect to a specific

target network. The impact analysis component

determines the impact of the detected attacks on

the operation of the network being monitored

and on the assets that are targeted by the

malicious activity. Based on this analysis, the

prioritization component assigns an appropriate

priority to every alert. This priority information

is important for quickly discarding information

that is irrelevant or of less importance to a

particular site.

Alerts that are correlated by one component of

our framework are used as input by the next

component. However, it is not necessary that all

alerts pass through the same components

sequentially. Some components can operate in

parallel, and it is even possible that alerts output

by a sequence of components are fed back as

input to a previous component of the process.

ACARM-ng (Alert Correlation, Assessment and

Reaction Module - next generation) is an open

source IDS/IPS system. ACARM-ng is an alert

correlation software which can significantly

facilitate analyses of traffic in computer

networks. It is responsible for collection and

correlation of alerts sent by network and host

sensors, also referred to

as NIDS and HIDS respectively. Correlation

process aims to reduce the total number of

messages that need to be viewed by a system

administrator to as few as possible by merging

similar events into groups representing logical

pieces of malicious activity.

Architecture

ACARM-ng consists of 3 main elements:

correlation daemon, WUI and (optional) a

database engine.

ACARM-ng's daemon has been designed from

scratch as a framework solution. It provides core

system functionalities, like logging, alerts and

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 57

correlated meta-alerts passing between system

parts, error recovery, multi-threading, etc.. The

rest of the package are plug-ins, separated into

following classes:

persistency (data abstraction)

input (data gathering)

filter (data correlation and modification)

trigger (automatic reporting and reaction)

Built-in software watchdog provides up-to-date

information on system status.

WUI makes browsing of correlated data easy via

graphical and tabular representation of gathered

and correlated events. System administrator can

easily see what is going on at every moment of

system's lifetime.Alert time series plot showing

the number of incoming messages during given

time period.The alert's page showing a sample

alert.

The WUI and the daemon interoperate through a

database. Daemon stores gathered data along

with the correlation results and its runtime

configuration. WUI is entitled to read and

display this data.

Notice that even though data base engine is not

required for running daemon, it is strongly

recommended to save data persistently.

Rejecting to use database makes it impossible to

obtain system information via WUI and leads to

a loss of historical data when system is restarted.

Events that are no longer processed by the

daemon are discarded as well.

V. CONCLUSION

Previous privacy schemes are provides only

limited features we are now providing the

solutions for it by considering memory , sensor

networks, and qos issues. We described a multi

component correlation process and a framework

that performs the correlation analysis. The most

complete set of components in the correlation

process. Therefore, in this paper we proposed

the first full network level privacy solution that

is composed of two new identity, route and

location privacy algorithms and data privacy

mechanism. Our solutions provide additional

trustworthiness and reliability at modest cost of

energy and memory.

REFERENCES

1. Xi, Y.; Schwiebert, L.; Shi, W. Preserving

Source Location Privacy in Monitoring-Based

Wireless Sensor Networks. In Proceedings of

Parallel and Distributed Processing

Symposium (IPDPS2006), Rhodes Island,

Greece, 2006.

2. Habitat monitoring on Great Duck Island

(Maine, USA), 2002. Available online:

http://ucberkeley. citris-

uc.org/research/projects/great duck island

(accessed on 21 August, 2009).

3. Ozturk, C.; Zhang, Y.; Trappe,W. Source-

Location Privacy in Energy-Constrained

Sensor NetworkRouting. In Proceedings of the

2nd ACM workshop on Security of Ad hoc and

Sensor Networks,Washington, DC, WA, USA,

2004; pp. 88–93.

4. Kamat, P.; Zhang, Y.; Trappe, W.; Ozturk, C.

Enhancing Source-Location Privacy in Sensor

Network Routing. In Proceedings of the 25th

IEEE International conference on Distributed

Computing Systems, Columbus, OH, USA,

2005; pp. 599–608.

5. A Comprehensive Approach to Intrusion

Detection Alert Correlation Fredrik Valeur,

Giovanni Vigna, Member, IEEE, Christopher

Kruegel, Member, IEEE, and Richard A.

Kemmerer, Fellow, IEEE

6. Wood, A.D.; Fang, L.; Stankovic, J.A.; He, T.

SIGF: A Family of Configurable, Secure

Routing Protocols for Wireless Sensor

Networks. In Proceedings of the 4th ACM

Workshop on Security ofAd Hoc and Sensor

Networks, Alexandria, VA, USA, 2006; pp.

35–48.

International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253

Print: 2319 – 9245

IJARAI.COM Dec/2012 Page 58

7. Ouyang, Y.; Le, Z.; Chen, G.; Ford, J.;

Makedon, F. Entrapping Adversaries for

Source Protection in Sensor Networks. In

Proceedings of the 2006 International

Symposium on a World of Wireless,Mobile and

Multimedia Networks (WoWMoM’06),

Niagara-Falls, Buffalo, NY, USA, 2006;pp.

23–34.

8. Zorzi, M.; Rao, R.R. Geographic Random

Forwarding (GeRaF) for Ad Hoc and Sensor

Networks: Multihop Performance. IEEE Tran.

Mob. Comput. 2003, 2, 337–348.

9. Zorzi, M.; Rao, R.R. Geographic Random

Forwarding (GeRaF) for Ad Hoc and Sensor

Networks: Energy and Latency Performance.

IEEE Tran. Mob. Comput. 2003, 2, 349–365.

10. Capone, A.; Pizziniaco, L.; Filippini, I.; de la

Fuente, M.G. SiFT: An Efficient Method

11. for Trajectory Based Forwarding. In

Proceedings of International Symposium on

Wireless Communication Systems, Siena, Italy,

2005; pp. 135–139.

12. Blum, B.; He, T.; Son, S.; Stankovic, J. IGF: A

State-Free Robust Communication Protocol

for Wireless Sensor Networks; Technical

Report CS-2003-11; Department of Computer

Science,University of Virginia, USA, 2003

13. RYU, J.; Kim, S.G.; Choi, H.H.; An, S.S.;

Ahn, S.Y.; Kim, B.J. Method and System for

Locating Sensor Node in Sensor Network

Using Transmit Power Control. U.S. Patent

Application: 2009/0128298 A1, 2009.

14. Barbeau, M.; Kranakis, E.; Krizanc, D.;

Morin, P. Improving Distance Based

Geographic Location Techniques in Sensor

Networks. In Proceedings of 3rd International

Conference on Ad Hoc Networks and Wireless,

Vancouver, British Columbia, 2004; pp. 197–

210

15. Achieving Network Level Privacy in Wireless

Sensor Networks Riaz Ahmed Shaikh 1,

Hassan Jameel 2,‡, Brian J. d’Auriol 1, Heejo

Lee 3, Sungyoung Lee 1,⋆and Young-Jae

Song 1Karlof, C.; Sastry, N.; Wagner, D.

TinySec: A Link Layer Security Architecture

for Wireless Sensor Networks. In Proceedings

of the 2nd International Conference on

Embedded Networked.

16. a comprehensive approach to intrusion

detection alert correlation fredrik valeur,

giovanni vigna, member, ieee, christopher

kruegel, member, ieee, and richard a.

kemmerer, fellow, IEEE TRANSACTIONS