Wen Ying,Hu Wei,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.08.047

2006-01-01

Abstract:Intrusion detection is an important measure to safeguard the network security.Due to the fact that current ID systems have too many alerts and lack of inter-cooperation,the paper presents an alerts process system model based on alert fusion and correlation.The model has the advantage of low redundant alert number and high intrusion detection performance.In addition,it can help anticipate the real intention of attackers￡?thus greatly improve the system's efficiency as well as further enhance the robustness of the network.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

JIANG Shao-hua,YAO Juan,HU Hua-ping

DOI: https://doi.org/10.3969/j.issn.1006-2475.2006.06.029

2006-01-01

Abstract:Nowadays,the present IDS has too many false negatives and false positives,and the level of the alert is too low.So it cannot reflect the security situation of the whole network accurately and in time.The administrators have to deal with a lot of raw alerts to find the possible security threat and the source of attack just as look for a needle in a bottle of hay.In this paper,the shortages of the present IDS are presented firstly.Then,a definition of alert correlation is given.The production of this paper has been applied into "the Network Security Monitor and the Warning Technology",which will do a great deal of good for the design of alert correlation system in distributed IDS.

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Donghai Tian,Hu Changzhen,Yang Qi,Wang Jianqiao

DOI: https://doi.org/10.1109/IAS.2009.26

2009-01-01

Abstract:Alert correlation is a promising technique in intrusion detection. It takes the alerts produced by intrusion detection systems and produces compact reports which provide a more succinct and high-level view of occurring or attempted intrusions and highly improve security expert’s work efficiency. Traditional alert correlation system adopts a centralized architecture which can be easily over flooded by the raw alarms. To address this issue, a distributed alert correlation model based on hierarchical architecture is proposed. This model greatly improves the performance of alert correlation through integrating three novel methods. The experiments show effectiveness of this alert correlation model on 2000 DARPA intrusion detection scenario specific datasets.

Yijie WANG,Li CHENG,Xingkong MA

DOI: https://doi.org/10.11887/j.cn.201705021

2017-01-01

Abstract:The rapid development of the Internet also causes more and more network threats.How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues.The alert-correlation-based network threat detection technique is becoming the research hotspot,which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario.Starting from the features of network threats and security environment,the requirements and classification of network threat detection were introduced.Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail.The key module of the model,alert correlation method,and the fundamentals and features of different kinds of typical algorithm were studied in detail,including causal-relation-based method,case-based method,similarity-based method and data-mining-based method.Furthermore,three kinds of representative detection system architectures were discussed with practical instances,namely centralized architecture,hierarchical architecture and distributed architecture.Finally,based on the analysis of recent research work,the future work is discussed and outlined.

Zhang Yue,Wang Yan,Li Bin,Zhang Hongli

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.071

2006-01-01

Abstract:Network attack techniques become more and more complexity, IDS produce a large of alerts, and falut positive is high, availability is low. So, we introduce combinative algorithem based on aggregation analysis, correlation, and CPN method to accomplish the attacks correlation, from macroscope and microscope view we rebuild attack scenario, impore IDS's usabiliy.

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

YU Xiao-di,HU Liang,XIE Nan-nan

DOI: https://doi.org/10.7694/jdxblxb20130525

2013-01-01

Abstract:According to the researches of traditional network intrusion detection,we proposed a multi-step intrusion alert collaborative model based on data mining,by which the alert information of several intrusion detection systems can be integrated so as to find the inner contacts by analysing the massive,disordered alert information,the attack alert can be simplified,and the multi-step intrusion in the integrated alert information can be found through the constantly updated knowledge database.Comparison of the model with the existing model shows that the correlation analysis method of this model and the build of the multi-step intrusion knowledge base really do help to the combination of the characteristics of different systems so as to realize multi-step intrusion alert collaborative researches.

Jia-chun LI,Zhi-tang Li

2004-01-01

Abstract:In order to reduce duplicated or incomplete or imperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

郑挺,胡华平

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.08.029

2004-01-01

Abstract:It is very important to study the technologies of IDS (Intrusion Detection System) alerts fusion,which can resolve the problems of current IDS,such as false positive, false negative,management hardly,creating alerts in low level,and it can increase network warning ability.Some problems in current IDS and necessity of doing alerts fusion are presented.An IDS alerts fusion visible model is presented,which provides solid base for passing check and acceptance successfully.

LIU Mi-xia,ZHANG Qiu-yu,ZOU Xiao,YU Dong-mei

DOI: https://doi.org/10.13229/j.cnki.jdxbgxb2009.02.047

2009-01-01

Abstract:A method of alert correlation based on multi-source data is presented.This is due to that,in order to attain a high level description of cyber-attacks,the network security administrators have to manually handle the alerts from multiple sources,such as the Intrusion Detection System(IDS),firewall,anti-virus software and scanner.First,an Extended Colored Petri Net(ECPN) is constructed by adding observation set,which reflects the alerts information from security tools,to the Colored Petri Net(CPN),and the formalized description and graphic modeling on ECPN are carried out.Then,an ECPN-Scenario-Constructor and Multistep-Abstract algorithms are proposed based on ECPN.Finally,experiment is conducted with the data set of DARPA 2000 intrusion scenario correlation benchmark.Results show that this method can effectively correlate the alerts,detect the attacking strategy of the attacker early,and reduce the leakage of alerts and avoid false alerts.

刘密霞,张秋余,赵宏,余冬梅

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.10.068

2008-01-01

Abstract:At first,this paper studied technology and method of alert correlation for analyzing their advantages and disadvantages.Then,presented alert correlation model based on multi-sources data fusion.After that,discussed evaluation dataset for analyzing their used scope and existent problems.At last,described future research and development.

Nurbol,CHAI Sheng,LI Hong-wei,HU Liang

2011-01-01

Abstract:The alert correlation,choquet fuzzy integral and fuzzy cognitive maps was analyzed,the correlation of IDS alerts based choquet fuzzy integral was proposed and the correlation engine of intrusion detection system was designed.Though experiences of the DRDOS attack and LLDOS attack,it is proved that the alert correlation in the paper could correlate the alerts with high feasibility.

Tian Zhihong,Qin Baoshan,Ye Jianwei,Zhang Hongli

DOI: https://doi.org/10.1109/cw.2008.116

2008-01-01

Abstract:Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources. An important problem in the field of intrusion detection is the management of alerts. This paper describes a realtime aggregation and correlation system named Alertclu. With the aid of similarity-based alert clustering analysing technology, Alertclu can improve the aggregation of intrusion detection system outputs and allow one to seamlessly incorporate additional information. In addition, Alertclu supports the operators by classifying alerts into true positives and false positives. The results of experiment show that the proposed system is able to reduce the numerous redundant alerts and effectively reduces the analyst operators' workload.