HYBRID MODEL FOR MEASURING THE UNCERTAINTY AND IMPURITY OF INTRUSION LOGS

Abstract

The number of computer users that persistently break into computer systems without permissions are alarming worldwide. Accordingly, Intrusion Detection Systems are designed as security measures to safeguard computer systems from intruders. Research shows that these precautionary measures tremendously assist analysts to thwart impending dangers and potential damages that intrusions can cause computers and their respective owners. Fundamentally, intrusion detectors capture and log suspicious events they discover as alerts for analysts to investigate them in future. Nevertheless, these measures frequently face strong criticisms over the years for a number of reasons. For example, the security mechanism can generate vast amount of alerts which can require enormous analysts’ efforts to maximally thwart potential intrusions. Besides, users are unable to immediately establish the degree of uncertainty and impurity of the events from massive intrusion logs. Thus, the extent of disorderliness, worthlessness and the inherent unreliabilityof the reported attacks are often underestimated. Users therefore believe that the existence of the intrusion detectors within computer systems does not totally guarantee adequate safety. The credibility and continual usage of intrusion detectors are therefore in doubt. This thesis presents the Hybrid GINI-CLUSTER model to lessen the above challenges. We use Snort IDS to sniff some trace files. The model is implemented using C++ programming language and alerts from Snort are inputs to the model. The alerts were clustered using their attribute values. Thereafter, the model evaluates the uncertainty and impurity of each log using the combined measures of Gini Index and Entropy across several synthetic and realistic datasets. The results suggest that both metrics are equivalent. Our findings suggest that entropy of clusters of attacks can increase especially if the attacks are analyzed on the basis of their timestamp and their source addresses. The results further identify two categories of the DDOS attacks. It is suggested that there are DDOS attacks such as LLDDOS-2.0.2 that can repeatedly overload computer networks with disruptive packets and another category of DDOS attacks such as LLDDOS-1.0 that are not iterated against the target computer networks. Essentially, the uncertainty and impurity of intrusion logs vary from one intrusion log to another. The results affirm that both metrics for repetitious attacks are usually small. Hence, knowledge of repetitious attacks is good for analysts to promptly design effective countermeasure and establish the quality of intrusion logs.