Application of Case-Based Reasoning to Multi-Sensor Network Intrusion Detection

An intrusion detection system (IDS) is generally limited by having a single detection model and a single information source for detecting attacks. Multi-sensor (or meta) intrusion detection addresses this problem by combining results of multiple IDSs and providing global decisions. Nearly all current meta-IDSs are either statistics-based or logical rule-based and typically require substantial human involvement for setup. This paper reports two experiments that employ a case-based reasoning (CBR) approach, one using the wellknown 1998 DARPA datasets, which contain a variety of different types of attacks, and one using the 2000 DARPA datasets, which contain distributed denial of service (DDOS) attacks. A critical issue with meta-IDS is alert correlation: determining when alerts from the various sensors are generated by the same attack. The first experiment uses explicit alert correlation based on session information contained in the alerts. In addition, it avoids human involvement in setup by employing data mining techniques to generate the case library automatically from training data. The results show that the CBR approach is very effective in distinguishing false alerts from real attacks, and in many of the latter cases can correctly identify the type of attack. The second experiment applies CBR to achieve a kind of implicit alert correlation. Explicit correlation is not possible here, since DDOS attacks span multiple network sessions. Here again the approach has proven effective. For the second experiment the case library is derived directly from the training data without data mining techniques. Key-Words: Case-Based Reasoning, Data-Mining, Intrusion Detection, Alert Correlation