DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

Seyed Ali Mirheidari,Sajjad Arshad,Rasool Jalili

DOI: https://doi.org/10.1007/978-3-319-03584-0_14

2018-11-02

Abstract:Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Cryptography and Security

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958734

2020-03-12

Abstract:An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

Cryptography and Security,Networking and Internet Architecture

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.1007/978-3-540-89862-7_16

2008-01-01

SSRN Electronic Journal

Abstract:The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

Jianwei Zhuge,Xinhui Han,Yu Chen,Zhiyuan Ye,Wei Zou

DOI: https://doi.org/10.1109/IAW.2006.1652098

2006-01-01

Abstract:Honeynet Data Analysis has become a core requirement of honeynet technology. However, current honeynet data analysis mechanisms are still unable to provide security analysts enough capacities of comprehend the captured data quickly, in particular, there is no work done on behavior level correlation analysis.Towards providing high level attack scenario graphs, in this paper, we propose a honeynet data correlation analysis model and method. Based on a network attack and defense knowledge base and network environment perceiving mechanism, our proposed honeynet data correlation analysis method can recognize the attackcr\s plan from a large volume of captured data and consequently reconstruct attack scenarios. Two proof-of-concept experiments on Scan of the Month 27 dataset and in-the-wild botnet scenarios are presented to show the effectiveness of our method.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

Hashim Albasheer,Maheyzah Md Siraj,Azath Mubarakali,Omer Elsier Tayfour,Sayeed Salih,Mosab Hamdan,Suleman Khan,Anazida Zainal,Sameer Kamarudeen

DOI: https://doi.org/10.3390/s22041494

IF: 3.9

2022-02-15

Sensors

Abstract:Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jingwen Li,Jianyi Liu,Ru Zhang

DOI: https://doi.org/10.3390/electronics13061106

IF: 2.9

2024-03-18

Electronics

Abstract:In recent years, advanced persistent threat (APT) attacks have become a significant network security threat due to their concealment and persistence. Correlation analysis of APT groups is vital for understanding the global network security landscape and accurately attributing threats. Current studies on threat attribution rely on experts or advanced technology to identify evidence linking attack incidents to known APT groups. However, there is a lack of research focused on automatically discovering potential correlations between APT groups. This paper proposes a method using attack behavior patterns and rough set theory to quantify APT group relevance. It extracts two types of features from threat intelligence: APT attack objects and behavior features. To address the issues of inconsistency and limitations in threat intelligence, this method uses rough set theory to model APT group behavior and designs a link prediction method to infer correlations among APT groups. Experimental results on publicly available APT analysis reports show a correlation precision of 90.90%. The similarity coefficient accurately reflects the correlation strength, validating the method's efficacy and accuracy.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wenbo Wang,Peng Yi,Junfang Jiang,Peng Zhang,Xiang Chen

DOI: https://doi.org/10.1016/j.cose.2023.103533

IF: 5.105

2023-10-09

Computers & Security

Abstract:In recent years, the growing threat of cyber attacks has made more researchers focus on the study of alert correlation and attack prediction. While numerous solutions have been proposed, the existing works still have some shortcomings. Without aggregation, previous approaches directly put the excessive and duplicate alerts into models, ignoring the internal logic between adjacent payloads, which we believe is a significant clue to distinguish different types of attacks. In this paper, we propose a similarity based aggregation algorithm to correlate and aggregate alerts, then train a Transformer based model to handle input with variable length and complete the attack prediction. Additionally, a threat estimation method as well as its practical application has been proposed to assess the predicted output. Experimental results demonstrate that our proposed framework has the capability to effectively aggregate alerts, predict different attack intelligence in good mode as well as assess how much threat the administrator would face in the near future.

computer science, information systems

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Xiang Cheng,Jiale Zhang,Bing Chen

DOI: https://doi.org/10.3390/s19184045

IF: 3.9

2019-01-01

Sensors

Abstract:With the emergence of the Advanced Persistent Threat (APT) attacks, many Internet of Things (IoT) systems have faced large numbers of potential threats with the characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and prompt recognition of latent APT attack activities in the IoT systems. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM and a framework of deploying APTALCM on the IoT system, where an edge computing architecture was used to achieve cyber situation comprehension without too much data transmission cost. Specifically, we firstly present a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities in the IoT systems. Then, we introduce a cyber situation instance similarity measurement method based on the SimRank mechanism for APT alerts and logs Correlation. Combining with instance similarity, we further propose an APT alert instances correlation method to reconstruct APT attack scenarios and an APT log instances correlation method to detect log instance communities. Through the coalescence of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM, can achieve both high true-positive rate and low false-positive rate.

Xinling Guo,Yangming Zheng,Zhe-Ming Lu,Jialin Cui,Hao Luo

DOI: https://doi.org/10.24507/ijicic.20.04.979

2024-01-01

Abstract:Network centrality metrics based on heuristics which work as a guideline onremoving vertices is a vital topic for the research of network robustness. In this paper,we analyze the correlation and difference between 12 popular centrality metrics amongthree distinct network models, including the correlation analysis and granularity anal-ysis. We also concern about the destructiveness of these centrality metrics when theyare used as attack strategies. The results show that most of the centrality metrics arehighly correlated with each other across three network models. The granularity analysison centrality metrics is also considered in this paper. The experiment results also ver-ify the previous conclusion that scale free networks are more vulnerable to intentionalattack than other networks. We observe that more correlated centrality metrics wouldcause more similar damage to network connectivity; at the meantime, we also find thatthe attack strategies based on few centrality metrics could destroy networks very quickly.All these results inspire us that there is a paradigm that could detect the attack strategywith strong destructiveness for distinct networks by combining the highly correlated andhighly destructive metrics