Wen Ying,Hu Wei,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.08.047

2006-01-01

Abstract:Intrusion detection is an important measure to safeguard the network security.Due to the fact that current ID systems have too many alerts and lack of inter-cooperation,the paper presents an alerts process system model based on alert fusion and correlation.The model has the advantage of low redundant alert number and high intrusion detection performance.In addition,it can help anticipate the real intention of attackers￡?thus greatly improve the system's efficiency as well as further enhance the robustness of the network.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Tianning Zang,Xiao-chun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/waim.2008.104

2008-01-01

Abstract:Security incident have been imposing tremendous threats on todaypsilas network information system. To protect this information system from the increasing threat of intrusion, various kinds of detection systems and sensors for security incident have been developed. The main disadvantages of current systems and sensors are a high false detection rate and the lack of post-incident decision support capability. To minimize these drawbacks, various alert fusion technologies have been proposed in the recent years. This paper presents a general summary of these technologies. Basic models and key technologies of alert fusion are analyzed and discussed. Moreover, important aggregation and correlation algorithms are discussed. Finally, we make concluding remarks by predicting the development tendencies of alert correlation technologies.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Seyed Ali Mirheidari,Sajjad Arshad,Rasool Jalili

DOI: https://doi.org/10.1007/978-3-319-03584-0_14

2018-11-02

Abstract:Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Cryptography and Security

Jia-chun LI,Zhi-tang Li

2004-01-01

Abstract:In order to reduce duplicated or incomplete or imperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm.

唐婵娜,范磊

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.06.031

2009-01-01

Abstract:A successful network attack is usually composed of different attacks in different stages, with the early ones preparing for the later ones.In the method of causal correlating, intrusion alerts are correlated by using prerequisites and consequences of the corresponding attacks so as to reconstruct attack scenarios.In this paper, confidence measurement is introduced as an attribute of correlation between alerts, thus to analyze the reliability of causal correlation and reduce the false correlations.The desired results have been obtained in the experiment using the standard data set DARPA.

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Yi Ping,Xing Hongkai,Wu Yue,Cai Jiwen

DOI: https://doi.org/10.1109/cmc.2009.327

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Hashim Albasheer,Maheyzah Md Siraj,Azath Mubarakali,Omer Elsier Tayfour,Sayeed Salih,Mosab Hamdan,Suleman Khan,Anazida Zainal,Sameer Kamarudeen

DOI: https://doi.org/10.3390/s22041494

IF: 3.9

2022-02-15

Sensors

Abstract:Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

LIU Mi-xia,ZHANG Qiu-yu,ZOU Xiao,YU Dong-mei

DOI: https://doi.org/10.13229/j.cnki.jdxbgxb2009.02.047

2009-01-01

Abstract:A method of alert correlation based on multi-source data is presented.This is due to that,in order to attain a high level description of cyber-attacks,the network security administrators have to manually handle the alerts from multiple sources,such as the Intrusion Detection System(IDS),firewall,anti-virus software and scanner.First,an Extended Colored Petri Net(ECPN) is constructed by adding observation set,which reflects the alerts information from security tools,to the Colored Petri Net(CPN),and the formalized description and graphic modeling on ECPN are carried out.Then,an ECPN-Scenario-Constructor and Multistep-Abstract algorithms are proposed based on ECPN.Finally,experiment is conducted with the data set of DARPA 2000 intrusion scenario correlation benchmark.Results show that this method can effectively correlate the alerts,detect the attacking strategy of the attacker early,and reduce the leakage of alerts and avoid false alerts.

LIU Xue-fei,WANG Shen-qiang,WU Bo-qiao,MA Heng-tai,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.01.049

2007-01-01

Abstract:Second analyzing Intrusion Detection System(IDS)'s alarm information has already become an important and practical method of improving IDS's detection performance.The paper roundly provides root cause and correlation analysis of alarm information based on analyzing IDS's alarm information,giving the practical method,the experiment proves the me￣thod's validity.

Tu Fan,Li Zhitang,Ren Jielin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.02.037

2006-01-01

Abstract:With the development of attack means and complex technologies, an intrusion detection system event commonly needs many steps to be successful. Tranditional intrusion detections focus on intrusion or abnormality at bottom layer, so they can not combine various types of alerts to find logical steps of attack policies behind the intrusions. Correlation technologies combine the alerts from different analyzers and correlate them, which greatly reduce the numbers of alerts, decrease the false positive and false negative properly. This article firstly analysizes the system structure of correlation means of network secure events, then stressly introduces several popular ways of network secure events correlation analysises.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1109/ICCS.2008.4737374

2008-01-01

Abstract:Network security alert causal correlation aims at correlating causal related security alerts into comprehensible attack scenarios. In this paper, we propose a novel correlation criterion by evaluating the time expenses of the attacks that trigger security alerts. By taking the attack time expenses as random variables and studying their probabilistic distribution, we can calculate the temporal correlation belief metric of any two candidate alerts. To testify the feasibility, a prototype system is designed, implemented and tested with the DARPA 2000 IDS evaluation dataset. Result shows that our method is effective and efficient, providing a strong complementary support for attack scenario construction.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

SHI Mei-Lin,QIAN Jun,XU Chao

2006-01-01

Computer Science

Abstract:Intrusion detection technology has been an indispensable part of information security metrics, but till now no standard is widely accepted to evaluate the effectiveness and accuracy of intrusion detection systems (IDS). Thus, both the end users and researchers have doubt on the effectiveness of IDS and algorithms. The key point of the solution is to construct a precise and comprehensive methodology for IDS evaluation. Researchers have proposed several IDS evaluation methods, such as dataset evaluation proposed by MIT Lincoln Lab and Open Security Evaluation Criteria proposed by Neohapsis, etc. According to the evaluation results researchers may look through the weak point of current intrusion detection technologies and thus improve on them. In this paper we present a detail analysis of dataset evaluation methodology proposed by MIT Lincoln Lab and point out the key problems of dataset evaluation methodology. We also propose an improving research plan as our furthering work in order to update the evaluation dataset.