AIDA Framework
A framework for the Analysis of Intrusion Detection Alerts.
About the AIDA Framework
AIDA is an analytical framework for processing intrusion detection alerts with a focus on alert correlation and predictive analytics. The framework contains components that filter, aggregate, and correlate the alerts, and predict future security events using the predictive rules distilled from historical records. The components are based on stream processing and use selected features of data mining (namely sequential rule mining) and complex event processing. The framework was designed to be deployed as an analytical component of an alert processing platform. Alternatively, it can be deployed locally for experimentations over datasets.
Framework features
Getting started
For a quick start, go to the provision directory and run Vagrant:
cd provision
vagrant up
AIDA framework will start in few minutes. Then, send your data to the framework using the following command (you need to have netcat installed):
nc localhost 4164 < path_to_file_with_your_data
If you do not have your own data, we recommend trying AIDA framework out with our dataset. Download and unzip the main file in the datase (dataset.idea.zip) and use it in the command above.
Run data mining
Trigger the data mining procedure (otherwise, it starts every 24 hours that you would have to wait):
sudo systemctl start mining
Check the logs of the data mining component:
sudo journalctl -u mining
Update rules
Open the database with the mined rules:
sqlite3 /var/aida/rules/rule.db
Check the rules in the database:
select * from rule;
Activate all the rules so that they are used by the rule matching component:
update rule set active=1;
Restart matching component to start matching activated rules:
sudo systemctl restart matching
Send some more data into AIDA, they will be matched against the rules to predict upcoming events:
nc localhost 4164 < path_to_file_with_your_data
Check outputs
Predicted rules are saved in the root directory of this repository in predictions.json
file.
You can also get the predictions directly from Kafka:
/opt/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic predictions --from-beginning
How to cite
There is a design paper on the AIDA framework: AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts. We recommend citing the paper, bibliography entries are provided as follows.
Plain text
Martin Husák and Jaroslav Kašpar. 2019. "AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts". In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES '19). ACM, New York, NY, USA, Article 81, 8 pages. DOI: https://doi.org/10.1145/3339252.3340513
BibTex
@inproceedings{AIDAframework,
author = {Hus\'{a}k, Martin and Ka\v{s}par, Jaroslav},
title = {AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts},
booktitle = {Proceedings of the 14th International Conference on Availability, Reliability and Security},
series = {ARES '19},
year = {2019},
isbn = {978-1-4503-7164-3},
location = {Canterbury, CA, United Kingdom},
pages = {81:1--81:8},
doi = {10.1145/3339252.3340513},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {alert correlation, data mining, information sharing, intrusion detection, prediction}
}
Related publications
If you are interested in our work, you might be interested in our papers related to the topic:
Predictive methods in cyber defense: Current experience and research challenges
Dataset of intrusion detection alerts from a sharing platform
Survey of Attack Projection, Prediction, and Forecasting in Cyber Security
Towards Predicting Cyber Attacks Using Information Exchange and Data Mining
On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts
Exchanging Security Events: Which And How Many Alerts Can We Aggregate?
A Graph-based Representation of Relations in Network Security Alert Sharing Platforms
Acknowledgement
The development of the framework and related research were supported by the Security Research Programme of the Czech Republic 2015 - 2020 (BV III / 1 VS) granted by the Ministry of the Interior of the Czech Republic under No. VI20162019029 The Sharing and analysis of security events in the Czech Republic.
Further research was supported by ERDF "CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence" (No.CZ.02.1.01/0.0/0.0/16_019/0000822).