Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Related Work
Focused Analysis
Clustering Analysis
Frequency Analysis
Link Analysis
Association Analysis
Tiaa: A Toolkit for Intrusion Alert Analysis
Experimental Results
Experiments with the Darpa 2000 Datasets
Discussion
Conclusions and Future Work
References
All Topics
Computer Science
Cybersecurity

Techniques and tools for analyzing intrusion alerts

Profile image of Yun CuiYun Cui

2004, ACM Transactions on Information and System Security

https://doi.org/10.1145/996943.996947
visibility

description

45 pages

link

1 file

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a sequence of techniques to address this issue. The first technique constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, the proposed method correlates alerts by (partially) matching the consequences of s...

Figures (20)
Fig. 2. A hyperalert correlation graph discovered in the 2000 DARPA intrusion detection evalua- tion datasets.
Fig. 2. A hyperalert correlation graph discovered in the 2000 DARPA intrusion detection evalua- tion datasets.
Fig. 4. An example abstraction hierarchy of hyperalert types.
Fig. 4. An example abstraction hierarchy of hyperalert types.
Fig.5. Visual representation of a uni-domain link analysis (note that edges are in different colors).
Fig.5. Visual representation of a uni-domain link analysis (note that edges are in different colors).
Fig. 7. A screen shot of TIAA.
Fig. 7. A screen shot of TIAA.
Fig. 8. The (only) hyperalert correlation graph discovered in the inside network traffic of LLDOS 1.0.
Fig. 8. The (only) hyperalert correlation graph discovered in the inside network traffic of LLDOS 1.0.
Table I. Completeness and Soundness of Alert Correlation
Table I. Completeness and Soundness of Alert Correlation
Table II. Ability to Differentiate True and False Alerts RS corresponds to the results directly obtained with RealSecure Network Sensor 6.5; Cor corresponds to results obtained after correlation.
Table II. Ability to Differentiate True and False Alerts RS corresponds to the results directly obtained with RealSecure Network Sensor 6.5; Cor corresponds to results obtained after correlation.
Table III. General Statistics of the Initial Analysis
Table III. General Statistics of the Initial Analysis
Table IV. Statistics of Top 10 Uncorrelated Hyperalert Types
Table IV. Statistics of Top 10 Uncorrelated Hyperalert Types
Fig. 9. A small hyperalert correlation graph discovered in initial analysis.
Fig. 9. A small hyperalert correlation graph discovered in initial analysis.
Fig. 10. The fully reduced graph for the largest hyperalert correlation graph.
Fig. 10. The fully reduced graph for the largest hyperalert correlation graph.
Fig.11. Sizes of the reduced graphs with respect to the interval threshold for the largest hyperalert correlation graph.
Fig.11. Sizes of the reduced graphs with respect to the interval threshold for the largest hyperalert correlation graph.
Fig. 12. The hyperalert correlation graph fully reduced with abstraction.
Fig. 12. The hyperalert correlation graph fully reduced with abstraction.
Fig. 13. A fully reduced hyperalert correlation graph resulting from focused analysis with Cr, : (DestIP = 010.020.001.010). This graph also appears in the result of graph decomposition with C,, (Cluster ID = 1; DestIP = 010.020.001.010.)
Fig. 13. A fully reduced hyperalert correlation graph resulting from focused analysis with Cr, : (DestIP = 010.020.001.010). This graph also appears in the result of graph decomposition with C,, (Cluster ID = 1; DestIP = 010.020.001.010.)
Fig. 14. A fully reduced hyperalert correlation graph resulting from focused analysis with Cy : (SrcIP = 010.020.011.251 ~ DestIP = 010.020.001.010). This graph also appears in the result of graph decomposition with C,g (ClusterID = 10; SrcIP = 010.020.011.251; DestIP = 010.020.001.010.)
Fig. 14. A fully reduced hyperalert correlation graph resulting from focused analysis with Cy : (SrcIP = 010.020.011.251 ~ DestIP = 010.020.001.010). This graph also appears in the result of graph decomposition with C,g (ClusterID = 10; SrcIP = 010.020.011.251; DestIP = 010.020.001.010.)
Table V. Partial Statistics of Decomposing the Largest Hyperalert Correlation Graph
Table V. Partial Statistics of Decomposing the Largest Hyperalert Correlation Graph
Table VI. Frequent Attribute Patterns in the Alerts of the Largest Correlation Graph
Table VI. Frequent Attribute Patterns in the Alerts of the Largest Correlation Graph
Fig. 15. Dual-domain link analysis for the alerts in the largest correlation graph.
Fig. 15. Dual-domain link analysis for the alerts in the largest correlation graph.

Related papers

Building attack scenarios through integration of complementary alert correlation methods
Robert St. Amant

2004

Several alert correlation methods were proposed in the past several years to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). These correlation methods have different strengths and limitations; none of them clearly dominate the others. However, all of these methods depend heavily on the underlying IDSs, and perform poorly when the IDSs miss critical attacks. In order to improve the performance of intrusion alert correlation and reduce the impact of missed attacks, this paper presents a series of techniques to integrate two complementary types of alert correlation methods: (1) those based on the similarity between alert attributes, and (2) those based on prerequisites and consequences of attacks. In particular, this paper presents techniques to hypothesize and reason about attacks possibly missed by IDSs based on the indirect causal relationship between intrusion alerts and the constraints they must satisfy. This paper also discusses additional techniques to validate the hypothesized attacks through raw audit data and to consolidate the hypothesized attacks to generate concise attack scenarios. The experimental results in this paper demonstrate the potential of these techniques in building high-level attack scenarios and reasoning about possibly missed attacks.

View PDFchevron_right
A Survey of Intrusion Alert Correlation and Its Design Considerations
Selvakumar Manickam

Http Dx Doi Org 10 1080 02564602 2014 906864, 2014

In recent years, network intrusion attempts have been on the rise. Malicious attempts, including hacking, botnets, and worms are used to intrude and compromise the organization's networks affecting their confidentiality, integrity and availability of resources. In order to detect these malicious activities, intrusion detection systems (IDSs) have been widely deployed in corporate networks. IDS sends alerts to security personnel in case of anomalous activities in the network. Unfortunately, one of the IDSs' drawbacks is they produce a large number of false positives and non-relevant positives alerts that could overwhelm the security personnel. Existing efforts to address this are done via identification of the similarities and causality relationships between alerts, grouping them into different clusters and prioritizing them after conducting the assessment on them. In this paper, we present commonly used alert correlation approaches and highlight the advantages and disadvantages from various perspectives. Existing alert correlation models are critically reviewed and compared in this paper. Subsequently, we emphasize four main considerations in alert correlation design which are: attack scenario either single packet or multi-stage attack, its architecture either centralized or distributed, performance assessment on accuracy of alert detection, and its processing time and the data to be used for testing.

View PDFchevron_right
Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Zeinab Zali

ISC Int. J. Inf. Secur., 2012

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in practice. To provide a picture of the current intrusive activity on the network, we need a real-time alert correlation. Most causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method, the knowledge base of the attack patterns is represented in a graph model called the Causal Relations Graph. In the offline mode, we construct Queue trees related to alerts' probable correlations. In the real-time mode, for each received alert, we can find its correlations with previously received alerts by performing a search only in the correspond...

View PDFchevron_right
Improving the Quality of Alerts with Correlation in Intrusion Detection
Abdellatif mezrioui

2007

With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. In this paper, we present an alert correlation technique based on causal relationships between alerts. The goal of the proposed technique is not only to group alerts together, but also to represent the correlated alerts in a way that they reflect the corresponding attack scenarios.

View PDFchevron_right
An Intrusion Alert Correlator Based on Prerequisites of Int rusions
masoud narimani

2002

Current intrusion detection systems (IDSs) usually focus on detecting low-level attacks and/or anomalies; none of them can capture the logical steps or attack strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents the development of an off-line intrusion alert correlator based on prerequisites of intrusions, which is our first step to address the aforementioned problem. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. Based on the prerequisite and the consequence of each type of attacks, our intrusion alert correlator correlates the alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. As a result, our intrusion alert correlator is able to correlate related alerts and uncover the attack strategies behind sequences of attacks. As an application based on relational database management system (RDBMS), the intrusion alert correlator takes advantage of the functionalities of RDBMS and can be easily integrated with other RDBMS-based intrusion analysis tools (e.g., ISS's RealSecure). Our experiments with the DARPA 2000 intrusion detection evaluation datasets have demonstrated the great potential of our approach in reducing false alerts and discovering high-level attack strategies.

View PDFchevron_right
A Review of Intrusion Alerts Correlation Frameworks
Peter Kemei

International Journal of Computer Applications Technology and Research, 2016

The advancement of modern computers, networks and internet has led to the widespread adoption and application of Information Communication Technology in modern organizations. As a result, large amount of information is generated, processed and distributed through digital devices. On the other side, digital crimes have increased in number and sophistication and they compromise the organization's critical information infrastructure affecting the confidentiality, integrity and availability of its information resources. In order to detect these malicious activities, organizations deploys multiple Network Intrusion Detection Systems (NIDSs) in their corporate networks. They generate huge amount of low quality alerts and in different formats when an attack has already taken place. Thus Alert and event correlation is required to preprocess, analyze and correlate the alerts produced by one or more network intrusion detection systems and events generated from different systems and security tools to provide a more succinct and high-level view of occurring or attempted intrusions. This work will review current alert correlation systems in terms of approaches and propose design consideration for an efficient alert correlation technique. We conclude by highlighting the opportunity to include attack prediction component in a real time multiple sensors environment.

View PDFchevron_right
A logic-based model to support alert correlation in intrusion detection
Hervé Debar

Information Fusion, 2009

Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.

View PDFchevron_right
A Rule-Based Intrusion Alert Correlation System for Integrated Security Management
HyungHyo Lee

Lecture Notes in Computer Science, 2004

As traditional host-and network-based IDSs are to detect a single intrusion based on log data or packet information respectively, they inherently generate a huge number of false alerts due to lack of information on interrelated alarms. In order to reduce the number of false alarms and then detect a real intrusion, a new alert analyzing system is needed. In this paper, we propose a rule-based alert correlation system to reduce the number of false alerts, correlate them, and decide which alerts are parts of the real attack. Our alert correlation system consists of an alert manager, an alert preprocessor, an alert correlator. An alert manager takes charge of storing filtered alerts into our alert database. An alert preprocessor reduces stored alerts to facilitate further correlation analysis. An alert correlator reports global attack plans.

View PDFchevron_right
Identification of correlated network intrusion alerts
Mirco Marchetti

Attacks to information systems are becoming more sophisticated and traditional algorithms supporting Network Intrusion Detection Systems may be ineffective or cause too many false alarms. This paper describes a new algorithm for the correlation of alerts generated by Network Intrusion Detection Systems. It is specifically oriented to face multistep attacks where multiple intrusion activities belonging to the same attack scenario are performed within a small time window. This algorithm takes as its input the security alerts generated by a NIDS and, through a pseudo-bayesian alert correlation, is able to identify those that are likely to belong to the same multistep attack scenario. The proposed approach is completely unsupervised and applicable to security alerts generated by any kind of NIDS.

View PDFchevron_right
A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs
seyed javad Ahmadinejad

Computer Networks, 2011

Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts

View PDFchevron_right

References (40)

  1. AGRAWAL, R., IMIELINSKI, T., AND SWAMI, A. N. 1993. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data. 207-216.
  2. ANDERSON, J. P. 1980. Computer security threat monitoring and surveillance. Tech. rep., James P. Anderson Co., Fort Washington, PA.
  3. AT&T RESEARCH LABS. GraphViz-Open Source Graph Layout and Drawing Software. Available at http://www.research.att.com/sw/tools/graphviz/.
  4. BACE, R. 2000. Intrusion Detection. Macmillan Technology Publishing.
  5. CUI, Y. 2002. A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks. M.S. thesis, North Carolina State University. Available at http://www.lib.ncsu.edu/ theses/available/etd-12052002-193803/.
  6. CUPPENS, F. 2001. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference.
  7. CUPPENS, F. AND MIEGE, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy.
  8. CUPPENS, F. AND ORTALO, R. 2000. LAMBDA: A language to model a database for detection of attacks. In Proceedings of the Recent Advances in Intrusion Detection (RAID 2000). 197-216.
  9. CURRY, D. AND DEBAR, H. 2001. Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Internet Draft, draft-ietf-idwg- idmef-xml-03.txt.
  10. DAIN, O. AND CUNNINGHAM, R. 2001. Fusing a heterogeneous alert stream into scenarios. In Pro- ceedings of the 2001 ACM Workshop on Data Mining for Security Applications. 1-13.
  11. DEBAR, H. AND WESPI, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 2212. 85-103.
  12. DEFCON. 2000. DEFCON Capture the Flag (CTF) contest. Available at http://www.defcon. org/html/defcon-8-post.html. Archive accessible at http://wi2600.org/mediawhore/mirrors/ shmoo/.
  13. ECKMANN, S., VIGNA, G., AND KEMMERER, R. 2002. STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10, 1/2, 71-104.
  14. GARDNER, R. AND HARLE, D. 1998. Pattern discovery and specification translation for alarm cor- relation. In Proceedings of Network Operations and Management Symposium (NOMS '98). 713- 722.
  15. GRUSCHKE, B. 1998. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management.
  16. ILGUN, K., KEMMERER, R. A., AND PORRAS, P. A. 1995. State transition analysis: A rule-based intru- sion detection approach. IEEE Trans. Softw. Eng. 21, 3, 181-199.
  17. INTERNET SECURITY SYSTEMS. RealSecure intrusion detection system. Available at http://www. iss.net. JAVITS, H. AND VALDES, A. 1993. The NIDES Statistical Component: Description and Justification. Tech. rep., SRI International, Computer Science Laboratory.
  18. JHA, S., SHEYNER, O., AND WING, J. 2002. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop.
  19. JULISCH, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC). 12-21.
  20. KUMAR, S. 1995. Classification and Detection of Computer Intrusions. Ph.D. thesis, Purdue Uni- versity.
  21. KUMAR, S. AND SPAFFORD, E. H. 1994. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference. 11-21.
  22. LIN, J., WANG, X. S., AND JAJODIA, S. 1998. Abstraction-based misuse detection: High-level spec- ifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, Rockport, MA. 190-201.
  23. MANGANARIS, S., CHRISTENSEN, M., ZERKLE, D., AND HERMIZ, K. 2000. A data mining analysis of RTID alarms. Comput. Netw. 34, 571-577.
  24. • P. Ning et al.
  25. MIT LINCOLN LAB. 2000. 2000 DARPA Intrusion Detection Scenario-Specific Datasets. Available at http://www.ll.mit.edu/IST/ideval/data/2000/2000 data index.html.
  26. MORIN, B., MÉ, L., DEBAR, H., AND DUCASSÉ, M. 2002. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 115-137.
  27. MUKHERJEE, B., HEBERLEIN, L. T., AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Netw. 8, 3 (May), 26-41.
  28. NING, P., CUI, Y., AND REEVES, D. S. 2002a. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland. 74-94.
  29. NING, P., CUI, Y., AND REEVES, D. S. 2002b. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC. 245-254.
  30. NING, P., JAJODIA, S., AND WANG, X. S. 2001. Abstraction-based intrusion detection in distributed environments. ACM Trans. Inf. Syst. Secur. 4, 4 (Nov.), 407-452.
  31. PORRAS, P., FONG, M., AND VALDES, A. 2002. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 95-114.
  32. RICCIULLI, L. AND SHACHAM, N. 1997. Modeling correlated alarms in network management sys- tems. In Western Simulation Multiconference.
  33. RITCHEY, R. AND AMMANN, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of IEEE Symposium on Security and Privacy. 156-165.
  34. SHEYNER, O., HAINES, J., JHA, S., LIPPMANN, R., AND WING, J. 2002. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy.
  35. STANIFORD, S., HOAGLAND, J., AND MCALERNEY, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 1/2, 105-136.
  36. STANIFORD-CHEN, S., CHEUNG, S., CRAWFORD, R., DILGER, M., FRANK, J., HOAGLAND, J., LEVITT, K., WEE, C., YIP, R., AND ZERKLE, D. 1996. GrIDS-A graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, Vol. 1. 361-370.
  37. TEMPLETON, S. AND LEVITT, K. 2000. A requires/provides model for computer attacks. In Proceed- ings of New Security Paradigms Workshop. ACM Press, 31-38.
  38. VALDES, A. AND SKINNER, K. 2001. Probabilistic alert correlation. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection (RAID 2001). 54-68.
  39. VIGNA, G. AND KEMMERER, R. A. 1999. NetSTAT: A network-based intrusion detection system. J. Comput. Secur. 7, 1, 37-71.
  40. XERCES2 JAVA PARSER. Available at http://xml.apache.org/xerces2-j/index.html. Received July 2003; revised March 2004; accepted March 2004

Related papers

Correlating alerts using prerequisites of intrusions
Douglas Reeves

2001

Intrusion detection has been studied for about twenty years since the Anderson's report. However, intrusion detection techniques are still far from perfect. Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones. In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. The proposed approach identifies the prerequisite (e.g., existence of vulnerable services) and the consequence of each type of attacks, and correlates the corresponding alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. The proposed approach has several advantages. First, it provides a high-level representation of the correlated alerts, and thus reveals the structure of series of attacks. Second, it can reduce the impact of false alerts by only keeping correlated alerts. Third, it can potentially be applied to predict attacks in progress, and allows the intrusion response systems to take appropriate actions to stop the ongoing attacks. Our preliminary experiments have demonstrated the potential of the proposed approach in reducing false alerts and uncovering high-level attack strategies.

View PDFchevron_right
Constructing attack scenarios through correlation of intrusion alerts
Douglas Reeves

Proceedings of the 9th ACM conference on Computer and communications security - CCS '02, 2002

ABSTRACT Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be ...

View PDFchevron_right
Modeling network intrusion detection alerts for correlation
Mark Heckman

ACM Transactions on Information and System Security, 2007

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability . We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator....

View PDFchevron_right
An Improved Framework for Intrusion Alert Correlation
Huwaida Elshoush

2012

Alert correlation analyzes the alerts from one or more collaborative Intrusion Detection Systems (IDSs) to produce a concise overview of security-related activity on the network. The process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequence order of the correlation components affects the correlation process performance. The total time needed for the whole process depends on the number of processed alerts in each component. This paper proposes a new correlation framework based on a model that reduces the number of processed alerts as early as possible by discarding the irrelevant and false alerts in the first phases. A new component is added to deal with the unrelated alerts. A modified algorithm for fusing the alerts is also proposed. The intruders’ intention is grouped into attack scenarios and thus used to detect future attacks. The contribution of this paper includes an enhanced new framework for alert correlati...

View PDFchevron_right
Network Intrusion Alert Correlation Challenges and Techniques
Maheyzah Siraj

Many organizations implement Intrusion Detection Systems (IDS) as the first line of defense for their security systems. Up to now, the researchers have developed IDS in many computer environments. Having detected the signs of intrusions, IDS trigger alerts to report them. These alerts are presented to human analyst to be evaluated and initiates adequate responses. But, manually analyzing those alerts are tedious, time-consuming and error-prone. The reasons for this: the number of alerts is enormous, and (2) most of them are false alerts. A promising method to automate the alert analysis is finding the correlation between alerts, and such system is known as Alert Correlation System (ACS). One of the major applications of alert correlation (AC) is attack diagnosis. Interestingly, researchers have different kind of views to define the concept of AC. Furthermore, a various types of techniques have been proposed in AC: to reduce the false alerts, and (2) to find causality relationship be...

View PDFchevron_right

Related topics

  • Information Systems
  • Computer Science
  • Security Management
  • Interaction Analysis
  • Intrusion Detection System
  • Alert correlation

    • Cited by

    Algebra for Capability Based Attack Correlation
    Navneet Kumar Pandey

    2008

    Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a strong need to identify the algebraic and set properties of capability. In this work, we identify the potential algebraic properties of capability in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which will be helpful in making the system modular. This paper also presents variant of correlation algorithm by using these algebraic properties. To make these operations more realistic, existing capability model has been empowered by adding time-based notion which helps to avoid temporal ambiguity between capability instances. The comparison between basic model and proposed model is exhibited by demonstrating cases in which false positives have been removed that occurred due to temporal ambiguity.

    View PDFchevron_right
    Incident prioritisation using analytic hierarchy process (AHP): Risk Index Model (RIM)
    MARIA PAPADAKI

    Security and Communication Networks, 2012

    The landscape of security threats continues to evolve, with attacks becoming more serious and the number of vulnerabilities rising. For these threats to be managed, many security studies have been undertaken in recent years, mainly focusing on improving detection, prevention and response efficiency. This paper proposes an incident prioritisation model, the Risk Index Model (RIM), which is based on risk assessment and the analytic hierarchy process. For incidents to be prioritised, the model uses indicators, such as criticality, as decision factors to calculate incidents' risk index. The model also adopts different strategies to enhance the prioritisation process. To evaluate the model, two stages of evaluation study were conducted. The first stage aims to validate the model by comparing its results with the Common Vulnerability Scoring System and Snort. The second stage aims to enhance RIM by analysing the effect of using different strategies in the model. The experimental results in the first stage have shown that 100% of incidents could be rated with RIM, compared with only 17.23% with the Common Vulnerability Scoring System. The experiments in the second stage have shown significant changes in the resultant risk index as well as some of the top-priority incidents.

    View PDFchevron_right
    A Correlation Approach to Intrusion Detection
    Massimo Ficco

    Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2010

    In this paper we discuss the limitations of current Intrusion Detection System technology, and propose a hierarchical event correlation approach to overcome such limitations. The proposed solution allows to detect attack scenarios by collecting diverse information at several architectural levels, using distributed security probes, which is then used to perform complex event correlation of intrusion symptoms. The escalation process from intrusion symptoms to the identified target and cause of the intrusion is driven by an ontology.

    View PDFchevron_right
    Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey
    Sameer Kamarudeen, Azath Ali

    Sensors, 2022

    Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information a...

    View PDFchevron_right
    SBAD: Sequence Based Attack Detection via Sequence Comparison
    Ching-Hao Mao

    Lecture Notes in Computer Science, 2011

    Given a stream of time-stamped events, like alerts in a network monitoring setting, how can we isolate a sequence of alerts that form a network attack? We propose a Sequence Based Attack Detection (SBAD) method, which makes the following contributions: (a) it automatically identifies groups of alerts that are frequent; (b) it summarizes them into a suspicious sequence of activity, representing them with graph structures; and (c) it suggests a novel graph-based dissimilarity measure. As a whole, SBAD is able to group suspicious alerts, visualize them, and spot anomalies at the sequence level. The evaluations from three datasets-two benchmark datasets (DARPA 1999, PKDD 2007) and a private dataset Acer 2007 gathered from a Security Operation Center in Taiwan-support our approach. The method performs well even without the help of the IP and payload information. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. To talk about efficiency, the proposed method can deal with large-scale problems, such as processing 300K alerts within 20 mins on a regular PC.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved