LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Chunlei Fu,Qichang Duan,Li Fu,Hong Xiang,Zhongyang Xiong,Haibo Hu

2011-01-01

Abstract:Intrusion detection is not new in the area of information security. It is crucial for the intrusion alerts management system to correlate the collected intrusion alerts to reflect the causal relationships between the attack steps and construct the attack scenarios. Most of these systems, however, have been built on the relational database logging the intrusion alerts. The relational database has been proven to be a very useful model and applied in the wide area. But their persisting limitation lies in the flat structure which is not capable of representing the complex relations. An ontology is an explicit specification of a conceptualization using an agreed vocabulary. In this paper, ontology is put into use and a learning framework is presented which depicts how the intrusion alerts ontology can be learned and further enriched exploiting both the database schema and the stored data. Moreover, we introduce the vulnerabilities database to refine the ontology hierarchy and the restriction of classes and apply the ontology design pattern to represent the sequence of a series of events. The whole transitioning process is implemented in OBNAMS, an intrusion alerts management system constructed on the learned ontology automating the consisted steps.

Shuai Chunyan,Jiang Jianhui,Ouyang Xin,Chen Linbo,Yang Yang

2012-01-01

Abstract:At present most intrusion detection systems ignored the logic relationships between attacks,so it leads to high false positive rate.In this paper multi-attribute of attack behaviors are analyzed and attacks are classified into different classes. A related attack knowledge database is built. The paper creates attack association rules and absent attack inference rules, and applies an alert hierarchical associate algorithm to correlate alerts based on the causative relationships between attacks. Experiments are conducted to verify the correctness and effectiveness of the proposed algorithm.

YU Xiao-di,HU Liang,XIE Nan-nan

DOI: https://doi.org/10.7694/jdxblxb20130525

2013-01-01

Abstract:According to the researches of traditional network intrusion detection,we proposed a multi-step intrusion alert collaborative model based on data mining,by which the alert information of several intrusion detection systems can be integrated so as to find the inner contacts by analysing the massive,disordered alert information,the attack alert can be simplified,and the multi-step intrusion in the integrated alert information can be found through the constantly updated knowledge database.Comparison of the model with the existing model shows that the correlation analysis method of this model and the build of the multi-step intrusion knowledge base really do help to the combination of the characteristics of different systems so as to realize multi-step intrusion alert collaborative researches.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yun Xiao,Chongzhao Han

2006-01-01

Abstract:Traditional intrusion detection systems (IDSs) focus on low-level attacks and anomalies, and raise alerts independently, though there may be logical connections between them. In this paper, a method of correlating intrusion alerts into attack scenarios based on the improved evolving self-organizing map (IESOM) was proposed. IESOM gives a rational formula to calculate the initial values of connection strengths instead of assigning some experiential or tentative constants as connection strength values in ESOM. IESOM is an evolving extension of the self-organizing map (SOM) model, which allows for an evolvable network structure and very fast incremental learning. System of correlating intrusion alerts into attack scenarios based on IESOM has four functions of filtering, aggregation, condensing and combination, and the visual attack scenarios are given as the output of the system. The results on LLS DDOS1.0 and real-word dataset B prove that our method is useful and effective.

Weiwu Ren,Liang Hu,Kuo Zhao,Bing Jia

DOI: https://doi.org/10.4028/www.scientific.net/amr.694-697.2466

2013-01-01

Advanced Materials Research

Abstract:Semantic modeling has become indispensable to integrate various specific security issues of Internet of Things. How to describe attack scenarios and how to define an intrusion unambiguously has been an urgent problem. For solving two above problems, a new three-level information security ontology model is proposed, which is an initial attempt to solve security issues by means of ontology technology. Five top classes are proposed in the domain ontology level. Then their subclasses are also proposed on the basis of actual scenarios in the local ontology level. Our intelligent laboratory, as experiment scenarios, is partly instantiated.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Donghai Tian,Hu Changzhen,Yang Qi,Wang Jianqiao

DOI: https://doi.org/10.1109/IAS.2009.26

2009-01-01

Abstract:Alert correlation is a promising technique in intrusion detection. It takes the alerts produced by intrusion detection systems and produces compact reports which provide a more succinct and high-level view of occurring or attempted intrusions and highly improve security expert’s work efficiency. Traditional alert correlation system adopts a centralized architecture which can be easily over flooded by the raw alarms. To address this issue, a distributed alert correlation model based on hierarchical architecture is proposed. This model greatly improves the performance of alert correlation through integrating three novel methods. The experiments show effectiveness of this alert correlation model on 2000 DARPA intrusion detection scenario specific datasets.

Yijie WANG,Li CHENG,Xingkong MA

DOI: https://doi.org/10.11887/j.cn.201705021

2017-01-01

Abstract:The rapid development of the Internet also causes more and more network threats.How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues.The alert-correlation-based network threat detection technique is becoming the research hotspot,which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario.Starting from the features of network threats and security environment,the requirements and classification of network threat detection were introduced.Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail.The key module of the model,alert correlation method,and the fundamentals and features of different kinds of typical algorithm were studied in detail,including causal-relation-based method,case-based method,similarity-based method and data-mining-based method.Furthermore,three kinds of representative detection system architectures were discussed with practical instances,namely centralized architecture,hierarchical architecture and distributed architecture.Finally,based on the analysis of recent research work,the future work is discussed and outlined.

Dandan Wu,Jie Chen,Ruiyun Xie,Ke Chen

DOI: https://doi.org/10.1631/fitee.2300662

IF: 2.526

2024-10-01

Frontiers of Information Technology & Electronic Engineering

Abstract:The construction of an integrated solution for cyberspace defense with dynamic, flexible, and intelligent features is a new idea. To solve the problem whereby traditional static protection methods cannot respond to various network attacks or security demands in an adversarial network environment in time, and to form a complete integrated solution from "threat discovery" to "decision-making generation," we propose an ontology-based security model, OntoCSD, for an integrated solution of cyberspace defense that uses Web ontology language (OWL) to represent the ontology classes and relationships of threat monitoring, decision-making, response, and defense in cyberspace, and uses semantic Web rule language (SWRL) to design the defensive reasoning rules. OntoCSD can discover potential relationships among network attacks, vulnerabilities, the security state, and defense strategies. Further, an artificial intelligence (AI) expert system based on case-based reasoning (CBR) is used to quickly generate a detailed and comprehensive decision-making scheme. Finally, through Kendall's coefficient of concordance ( W ) and four experimental cases in a typical computer network defense (CND) system, which reasons on represented facts and the ontology, OntoCSD's consistency and its feasibility to solve the issues in the field of cyberspace defense are validated. OntoCSD supports automatic association and reasoning, and provides an integrated solution framework of cyberspace defense.

engineering, electrical & electronic,computer science, information systems, software engineering

Jin-ze PEI,Hua-ping HU,Chen-lin HUANG

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.03.033

2006-01-01

Abstract:Conventional network security protection is facing a great challenge of coordinated and distributed attack,so distributed intrusion detection technology is required.Fusing multi-kinds of IDS alerts can effectively improve warning veracity.Based on annotation to alert correlation definition renewedly,the paper designed and implemented layered correlation model with real-time response mechanism.The model is much adaptive,each layer of which can do its work independently.At last,the function of fusing alert information is implemented,which can resolve problems of management of alerts,false negative and false positive better and can warn according to attack intention identified.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

SHI Liang,WANG Beizhan,YAO Junfeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.14.048

2006-01-01

Abstract:This paper presents an alerts association analysis technology based on intrusion intention in order to overcome the problems exited in today's alerts association analysis technologies.This method not only inherits the merits of the alerts association analysis technology based on intrusion strategy such as foreseeable,but also improves the adaptability of the intrusion strategy model.Furthermore,it gives the“skipping step”analysis mechanism and its improvement on the comprehension ability of the intrusion detection system.

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.

Yu-Xin Ding

DOI: https://doi.org/10.1109/icmlc.2007.4370714

2007-01-01

Abstract:Traditional intrusion detection systems only focus on low-level attacks, and only generate isolated alerts. But in practice an attack is made up of a sequence of logical scenarios. As a result, it is difficult for human to understand alerts and take appropriate actions. This paper presents a practical technique to address this issue. The paper proposes a rule-based hierarchical model to construct attack scenarios, and use expert system (CLIPS) as the engine to detect scenarios. In this paper a concrete design method is discussed and applied to analyze snort alerts. the proposed approach can detect attack scenarios in real time, the rules only describe the properties of attacks in a high level and avoid to describe the concrete network or host information, this guarantee the generality of this method, we adopt the known general expert system as the detection engine, so the implementation become very easy.

QIU Weicheng,CHEN Xiuzhen,MA Yinghua,MA Jin,ZHOU Zhihong

DOI: https://doi.org/10.11959/j.issn.2096-109x.2023052

2023-01-01

Abstract:Threat analysis relies on knowledge bases that contain a large number of security entities.The scope and impact of security threats and risks are evaluated by modeling threat sources, attack capabilities, attack motivations, and threat paths, taking into consideration the vulnerability of assets in the system and the security measures implemented.However, the lack of entity relations between these knowledge bases hinders the security event tracking and attack path generation.To complement entity relations between CAPEC and ATT＆amp;CK techniques and enrich threat paths, an entity correlation prediction method called WGS was proposed, in which entity descriptions were analyzed based on word embedding and a graph convolution network.A Word2Vec model was trained in the proposed method for security domain to extract domain-specific semantic features and a GCN model to capture the co-occurrence between words and sentences in entity descriptions.The relationship between entities was predicted by a Siamese network that combines these two features.The inclusion of external semantic information helped address the few-shot learning problem caused by limited entity relations in the existing knowledge base.Additionally, dynamic negative sampling and regularization was applied in model training.Experiments conducted on CAPEC and ATT＆amp;CK database provided by MITRE demonstrate that WGS effectively separates related entity pairs from irrelevant ones in the sample space and accurately predicts new entity relations.The proposed method achieves higher prediction accuracy in few-shot learning and requires shorter training time and less computing resources compared to the Bert-based text similarity prediction models.It proves that word embedding and graph convolutional network based entity relation prediction method can extract new entity correlation relationships between attack patterns and techniques.This helps to abstract attack techniques and tactics from low-level vulnerabilities and weaknesses in security threat analysis.

Huangjie Zheng,Yuchen Wang,Chen Han,Fangjie Le,Ruan He,Jialiang Lu

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00180

2018-01-01

Abstract:In cyber security, the ontology is invented to provide vocabulary in a generalized machine-processable language for downstream works such as attack detection. Meanwhile, machine learning (ML) as a promising intelligent field, is widely investigated to achieve the automation of these tasks. Existing ML-based methods suffer from confines of specific data and preprocessing, while applying ontology with machine learning methods is still rarely discussed. In this paper, 1) we propose a novel approach for automatic attack detection by generating ontology with deep learning through neural network embeddings; 2) we validate the learned ontology by comparing it with a manual ontology built by security expert, the results demonstrates that the latent representation learned with neural networks could serve as a novel ontology format so as to provide a generalized machine-processable language for downstream works, which is the intention of the ontology; 3) finally, we develop a platform to achieve the entire intelligent ontology learning and utilization for cyber attack detection. Our experimental results shows that our proposed ontology is promising to collaborate with machine learning based methods in order to improve the intelligent intrusion detection for cyber security.

Taqwa Ahmed Alhaj,Maheyzah Md Siraj,Anazida Zainal,Inshirah Idris,Anjum Nazir,Fatin Elhaj,Tasneem Darwish

DOI: https://doi.org/10.48550/arXiv.2110.08662

2021-10-17

Abstract:A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of low-level alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to the infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of datasets, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

Cryptography and Security