Table Of ContentUsing Root Cause Analysis
to Handle
Intrusion Detection Alarms
Dissertation
zurErlangungdesGradeseines
DoktorsderNaturwissenschaften
derUniversita¨tDortmund
amFachbereichInformatik
von
KlausJulisch
Dortmund
2003
Tagdermu¨ndlichenPru¨fung: 15. Juli2003
Dekan: Prof.Dr.BernhardSteffen
Gutachter: Prof.Dr.JoachimBiskup
Prof.Dr.HeikoKrumm
Abstract
UsingRootCauseAnalysistoHandleIntrusionDetectionAlarms
KlausJulisch
IBMZurichResearchLaboratory
Sa¨umerstrasse4
8803Ru¨schlikon,Switzerland
e-mail: [email protected]
In response to attacks against enterprise networks, administrators are increas-
ingly deploying intrusion detection systems. These systems monitor hosts, net-
works,andotherresourcesforsignsofsecurityviolations. Unfortunately,theuse
of intrusion detection has given rise to another difficult problem, namely the han-
dlingofagenerallylargenumberofmostlyfalsealarms. Thisdissertationpresents
anovelparadigmforhandlingintrusiondetectionalarmsmoreefficiently.
Central to this paradigm is the notion that each alarm occurs for a reason,
which is referred to as the alarm’s root causes. This dissertation observes that
a few dozens of root causes generally account for over 90% of the alarms in an
alarm log. Moreover, these root causes are generally persistent, i.e. they keep
triggering alarms until someone removes them. Based on these observations, we
propose a new two-step paradigm for alarm handling: Step one identifies root
causes that account for large numbers of alarms, and step two removes these root
causesandtherebyreducesthefuturealarmload. Alternatively,alarmsoriginating
from benign root causes can be filtered out. To support the discovery of root
causes,weproposeanoveldataminingtechnique,calledalarmclustering.
To lay the foundation for alarm clustering, we show that many root causes
manifest themselves in alarm groups that have certain structural properties. We
formalizethesestructuralpropertiesandproposealarmclusteringasamethodfor
extracting alarm groups that have these properties. Such alarm groups are gener-
ally indicative of root causes. We therefore present them to a human expert who
isresponsibleforidentifyingtheunderlyingrootcauses. Onceidentified,theroot
causes can be removed (or false positives can be filtered out) so as to reduce the
i
ii
future alarm load. We experimentally validate the proposed two-step alarm han-
dling paradigm with alarms from a variety of different operational environments.
These experiments show that alarm clustering makes the identification of root
causes very efficient. Moreover, the experiments demonstrate that by judiciously
responding to root causes one can reduce the future alarm load by 70%, on the
average.
Acknowledgments
ThisthesisworkbeganundertheguidanceofProf.MarcDacier,whoatthetime,
was my manager at the IBM Zurich Research Laboratory. Prof. Dacier always
gave me the feeling that my research was important and exciting, and he pushed
me hard to get results early on. Moreover, I benefited greatly from his long expe-
rienceinthefield. Forallthat,Ithankyou,Marc.
Ascompaniesdonotawardacademictitles,IhadtoregisterasaPhDstudent
at a university. When I presented my fledgling research project to Prof. Joachim
Biskup,hesawvalueinit,andagreedtosuperviseme. Prof.Biskuphasanatural
talent for asking all the difficult questions, and while he pushed me hard to make
progresswiththese questions,healsoshowed considerableunderstandingformy
somewhat special situation as an external PhD student. He was always prompt in
answering my questions, and generously allocated time for discussions with me.
Thanks to that, I could finish my thesis work before my contract at IBM expired.
Thankyou,Joachim,istheleastIcansay.
I also thank my colleagues at the IBM Zurich Research Laboratory, all of
whom have contributed to this thesis in one way or another. In particular, I thank
AndreasWespi,mycurrentmanager,forgivingmealotafreedomtoworkonmy
thesis. DominiqueAlessandriandJamesRiordanhavebeenwonderfulfriendsand
a great help in administering the Linux server, on which I ran my experiments.
I am very grateful to Birgit Baum-Waidner for her excellent comments on an
earlier draft of this document. Finally, I thank Larry Oliver and Alex Wood of
IBMManagedSecurityServicesDelivery(formerlyEmergencyResponseTeam).
They supported me with their expertise, and shared real-world data with me, so
thatIcouldvalidatemythesiswork.
Last but not least, I acknowledge the support from the European IST Project
MAFTIA(IST-1999-11583),whichispartiallyfundedbytheEuropeanCommis-
sionandtheSwissDepartmentforEducationandScience.
iii
iv
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 ThesisStatementandContributions . . . . . . . . . . . . . . . . 2
1.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 DatasetsUsedintheExpriments . . . . . . . . . . . . . . . . . . 6
2 RelatedWork 11
2.1 OntheDifficultyofIntrusionDetection . . . . . . . . . . . . . . 11
2.2 RootCauseAnalysis . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 DataMining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4 AlarmCorrelation . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3 UsingDataMiningforRootCauseAnalysis 31
3.1 RootCausesandRootCauseAnalysis . . . . . . . . . . . . . . . 31
3.2 ConceptualProblemDescription . . . . . . . . . . . . . . . . . . 34
3.3 ApproximationofAlarmGroups . . . . . . . . . . . . . . . . . . 38
3.4 TestingtheAlarmClusterHypothesis . . . . . . . . . . . . . . . 44
3.5 ExperiencewithEpisodeRules . . . . . . . . . . . . . . . . . . . 50
4 AlarmClustering 53
4.1 IntroductiontoClusterAnalysis . . . . . . . . . . . . . . . . . . 53
4.2 AFrameworkforAlarmClustering . . . . . . . . . . . . . . . . . 64
4.3 AlgorithmforAlarmClustering . . . . . . . . . . . . . . . . . . 72
4.4 DiscourseonBackgroundKnowledge . . . . . . . . . . . . . . . 81
v
vi CONTENTS
5 ClusterValidation 85
5.1 TheValidationDilemma . . . . . . . . . . . . . . . . . . . . . . 85
5.2 ClusterValidationBackground . . . . . . . . . . . . . . . . . . . 86
5.3 ValidationofAlarmClusters . . . . . . . . . . . . . . . . . . . . 93
6 ValidationofThesisStatement 99
6.1 AnIllustrativeExample . . . . . . . . . . . . . . . . . . . . . . . 99
6.2 ExperiencewithAlarmClustering . . . . . . . . . . . . . . . . . 103
6.3 AlarmLoadReduction . . . . . . . . . . . . . . . . . . . . . . . 109
6.4 OntheRisksofFiltering . . . . . . . . . . . . . . . . . . . . . . 114
7 SummaryandOutlook 117
7.1 SummaryandConclusions . . . . . . . . . . . . . . . . . . . . . 117
7.2 FutureWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Bibliography 119
List of Figures
2.1 Faultpropagationandalarmgenerationinnetworks. . . . . . . . . 16
2.2 Aroughclassificationofdataminingtechniques. . . . . . . . . . 19
2.3 Dataminingprocessofbuildingmisusedetectionsystems. . . . . 23
2.4 Algorithmforderivingtrainingdatafromhistoricalalarms. . . . . 29
3.1 Thegenesisofrootcauses,orhowrootcausesenterasystem. . . 34
3.2 Entityrelationshipdiagramofkeyconcepts. . . . . . . . . . . . . 35
3.3 Anattacktoolbeingrunagainstthreetargets. . . . . . . . . . . . 52
4.1 TheK-meansalgorithm. . . . . . . . . . . . . . . . . . . . . . . 57
4.2 Asampledendrogramandapartitionitencodes. . . . . . . . . . . 58
4.3 Network,alarmlog,andhierarchiesoftherunningexample. . . . 67
4.4 Samplegeneralizationhierarchiesfortimeattributes. . . . . . . . 71
4.5 ExampleofreducingCLIQUEtoalarmclustering. . . . . . . . . 73
4.6 Pseudo-codefortheclassicAOIalgorithm. . . . . . . . . . . . . 75
4.7 Pseudo-codeforthemodifiedAOIalgorithm. . . . . . . . . . . . 78
5.1 Exampleofvalidclustersthathavenointuitiveinterpretation. . . 87
5.2 Asampledataset,twoclusterstructures,andtheirsub-clusters. . . 96
6.1 Histogramshowingthefrequenciesofdifferentrun-times. . . . . 106
6.2 Averagerun-timesbyalarmlogsize. . . . . . . . . . . . . . . . . 106
6.3 AveragenumberofgeneralizedalarmsperIDS. . . . . . . . . . . 108
6.4 Histogramshowingthefrequencyofdifferentdegreesofcoverage. 109
6.5 AlarmloadreductionforIDS3. . . . . . . . . . . . . . . . . . . 111
vii
viii LISTOFFIGURES
6.6 AlarmloadreductionforIDS6. . . . . . . . . . . . . . . . . . . 111
6.7 AlarmloadreductionforIDS10. . . . . . . . . . . . . . . . . . . 112
6.8 AlarmloadreductionforIDS14. . . . . . . . . . . . . . . . . . . 112
6.9 AveragealarmloadreductionperIDS. . . . . . . . . . . . . . . . 115
Description:To lay the foundation for alarm clustering, we show that many root causes Thanks to that, I could finish my thesis work before my contract at IBM expired .. The alarms in our experiments have the following attributes: The source IP.
