Nariz -Distributed Alert Correlation System

Documentation

In this page we present a little explanation of the Nariz system

Nariz is a distributed alert correlation system, that performs alarm correlation in two phases, locally preprocessing and distributed postprocessing. The distibuted correlation of alerts is a new technique that is well suited to high speed networks since it can be implemented on machines using lower computing power than it would be possible with centralized correlation. Every time an IDS reports an alert the Nariz obtains that alert and does a local correlation with simple correlation rules. The correlation rules are based on the following variables from the IDS alert:

source IP address;
destination IP address;
destination port;
attack type/ class;
time;
date.

Besides those variables, other three are used, two from supposition of the source and destination network address, removing the last octet from the source and destination IP address. The other variable is called limiar, which determines an action to be executed, like the distributed correlation and the sending of messages for the network administrator. Those actions are executed through comparisons between the value of limiar and fixed values in a file, called limiar.conf. The limiar is a non-negative variable that is increased each time a new alert, that is correlating at the moment, satisfies a correlation rule of a previously stored alert. Every time that the limiar is increased, its value is compared to two triggers: TALK trigger and PANIC trigger. The TALK trigger is responsible for the distributed correlation; it means that when an alert has the value of limiar equal to TALK, the Nariz sends an alert to other(s) Nariz's. When an alert's value of limiar equals to the trigger PANIC, an alert is sent to the Security Admin/Network Administrator.

The initial value of limiar is zero. This variable determines the coincidence degree between the alerts. Through this variable individual correlators exchange messages to correlate intrusion alerts and a message is sent to a human manager whenever the distributed system collects enough information regarding an intrusion attempt. This way, the Nariz system can reduce the number of messages sent to the human overseers, while eliminating some of the false positives.

There are two kinds of correlation rules, a group of rules that removes repeated alerts and a group of rules that concatenates alerts with at least one equal variable.

Now we present two situations of usage for the Nariz. In the first situation we present a geographically distributed correlation, with correlators in different countries. On the second situation, we present a distributed correlation architecture in a high-speed network with IDS sensors.

In this first situation we show three organizations in differents countries that have an IDS analysing their own traffic. On each IDS a Nariz is placed to correlate the alerts. This way each Nariz correlates alerts of the local IDS and when the distributed correlation trigger is activated, the Nariz sends an alert through the network to other Nariz to correlate this alert. When a Nariz receives an alert that is not local, this alert can have a greater limiar than a local one, to indicate that this alert is more severe then the local one. So the correlation of alerts is done by distributing alerts through the network to each Nariz, and when an alert activates the PANIC trigger, an alert is sent to the Security Admin.

In this second situation we have an example of the Nariz system correlating the alerts of IDS sensors in a high-speed network. The traffic that comes from the cloud, that could be Internet, is splitted by a router/switch to IDS sensors. Each IDS sensor is responsible for analyzing passively the traffic. Again, in each IDS sensor a Nariz is placed to correlate its alerts. On the dotted arrow we represent the channel of comunication on which the Nariz will perform the distributed correlation. This channel is only for distributed correlation, in order not to compromise the distributed analysed traffic by the IDS sensors.

In this last picture, the mechanism of distributed correlation is shown in more details. The router/switch in this picture could be the Internet and the IDS sensors could be also simple IDS, like explained in the first situation. On this picture we can see that the Nariz gets the IDS sensors alerts and correlates to the alerts that is already stored in the Nariz alerts database.