Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Yizhen Dong,Peixin Zhang,Jingyi Wang,Shuang Liu,Jun Sun,Jianye Hao,Xinyu Wang,Li Wang,Jin Song Dong,Ting Dai

DOI: https://doi.org/10.1109/ICECCS51672.2020.00016

2020-01-01

Abstract:Deep neural networks (DNN) are increasingly applied in safety-critical systems, e.g., for face recognition, autonomous car control and malware detection. It is also shown that DNNs are subject to attacks such as adversarial perturbation and thus must be properly tested. Many coverage criteria for DNN since have been proposed, inspired by the success of code coverage criteria for software programs. The expectation is that if a DNN is well tested (and retrained) according to such coverage criteria, it is more likely to be robust. In this work, we conduct an empirical study to evaluate the relationship between coverage, robustness and attack/defense metrics for DNN. Our study is the largest to date and systematically done based on 100 DNN models and 25 metrics. One of our findings is that there is limited correlation between coverage and robustness, i.e., improving coverage does not help improve the robustness. Our dataset and implementation have been made available to serve as a benchmark for future studies on testing DNN.

Seyed Ali Mirheidari,Sajjad Arshad,Rasool Jalili

DOI: https://doi.org/10.1007/978-3-319-03584-0_14

2018-11-02

Abstract:Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Cryptography and Security

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Jian Yang,Qi Zhang,Xiaofeng Jiang,Shuangwu Chen,Feng Yang

DOI: https://doi.org/10.1109/TDSC.2021.3101649

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The volatile, covert and slow multistage attack patterns of Advanced Persistent Threat (APT) present a tricky challenge of APT detection, which are vital for organisations to protect their critical assets. In this article, we aim to develop system that aggregates and uses existing systems’ alerts to detect APTs. In order to achieve this, we propose a causal correlation aided semantic analysis system, called <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> , for detecting the multi-stage threats over a long-time span from existing systems’ alerts. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> is capable of autonomously mining causality between anomalous events, which instructs us in reorganizing the original alerts and in constructing alert-chains. The system further exploits the Latent Dirichlet Allocation (LDA) to model the semantic context of the alert-chains. This LDA model facilitates us to carry out the semantic analysis for capturing the latent attack intent as well as for reconstructing the APT scenario. We use an alert dataset provided by a cyber security company to verify the proposed <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> in terms of the detection accuracy and the capability of attack scenario reconstruction. The experiment results are presented to show the achievable performance of the proposed semantic analysis based APT detection.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.1007/978-3-540-89862-7_16

2008-01-01

SSRN Electronic Journal

Abstract:The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Changjun Hu,Yu Weng,Peng Shi

DOI: https://doi.org/10.1109/GCC.2008.94

2008-01-01

Abstract:Oriented to the deficiency of cooperative analysis ability between different network domains in traditional topic detection and tracking (TDT), this paper proposes a network alert degree evaluation model based on cooperative computing (named CCAE). The model not only considers the influence of inner network domain, but also evaluates the cooperation impacts of inter-network domains. With the help of alert case knowledge base (ACKB), CCAE mines the alert information of each network domain by matching the alert cases with Web text. Through scheduling the local alert cases with high matching frequency between different network domains, CCAE effectively improves the ability of alert spreading analysis, optimizes the local alert case knowledge base and sharply shortens the time-consuming of alert detection. Considering the influence of page hyperlinks on alert spreading, CCAE retrieves the alert degree of the linked pages, and further realizes the evaluation in cooperative computing environment. For validating the performance of CCAE, we present a comparison experiment on a cosine classifier with TF-IDF in a corpus about "Campus Network Culture". The experimental results further validate the analysis ability of alert spreading and higher detection accuracy of CCAE. © 2008 IEEE.

LIU Jie-ling,LING Xiao-bo,ZHANG Lei,WANG Bo,WANG Zhi-liang,LI Zi-mu,ZHANG Hui,YANG Jia-hai,WU Cheng-nan

DOI: https://doi.org/10.11896/jsjkx.210600171

2022-01-01

Computer Science

Abstract:Power system network is one of the important targets of cyber attack.In order to ensure the safe operation of power system,network managers need to evaluate the network security risk.Usually,existing network security risk assessment framework only aims at a single scenario,and can not find the strategic attackers who use a variety of low-risk methods to achieve high-risk threat targets from large quantities of network security alerts.In order to meet the above challenges,this paper proposes a network security risk assessment method based on tactical correlation.In this method,the warning information generated on va-rious network security detection devices when an attacker implements a multi-step attack is associated to form an attack chain,and the security risk of the organization intranet is evaluated by calculating the threat,vulnerability,impact score of each node in the attack chain and the risk score of the whole attack chain.In order to verify the effectiveness and robustness of the proposed method,this paper selects a representative example to illustrate the specific implementation process of the proposed method for network security risk assessment in the organizational intranet.The example shows that the network security risk assessment framework based on the tactical association can correctly assess the harm of multi-step attack caused by low-risk alarm association to achieve high-risk targets,and is more robust than the traditional single scenario analysis method,which can better provide decision-making basis for organization decision-makers in network security risk management.

Xinling Guo,Yangming Zheng,Zhe-Ming Lu,Jialin Cui,Hao Luo

DOI: https://doi.org/10.24507/ijicic.20.04.979

2024-01-01

Abstract:Network centrality metrics based on heuristics which work as a guideline onremoving vertices is a vital topic for the research of network robustness. In this paper,we analyze the correlation and difference between 12 popular centrality metrics amongthree distinct network models, including the correlation analysis and granularity anal-ysis. We also concern about the destructiveness of these centrality metrics when theyare used as attack strategies. The results show that most of the centrality metrics arehighly correlated with each other across three network models. The granularity analysison centrality metrics is also considered in this paper. The experiment results also ver-ify the previous conclusion that scale free networks are more vulnerable to intentionalattack than other networks. We observe that more correlated centrality metrics wouldcause more similar damage to network connectivity; at the meantime, we also find thatthe attack strategies based on few centrality metrics could destroy networks very quickly.All these results inspire us that there is a paradigm that could detect the attack strategywith strong destructiveness for distinct networks by combining the highly correlated andhighly destructive metrics

XU Hui,FENG Jinwen,YE Zhiyuan

DOI: https://doi.org/10.3321/j.issn:0479-8023.2006.01.023

2006-01-01

Abstract:The concept of stateful alert correlation and a correlation algorithm based on dynamic Bayesian planning graph are proposed. Dynamic Bayesian planning graph adds dynamic Bayesian inference to based planning graph. It represents system security states explicitly and the relation between states and actions. The algorithm handles uncertain information with Bayesian inference, giving a quantitative evaluation of the security state of a system and eliminating false alarms effectively.

Qiuhua Zheng,Weihua Hu,Yuntao Qian,Min Yao,Xianglin Wang,Jing Chen

DOI: https://doi.org/10.1109/FSKD.2008.163

2008-01-01

Abstract:This paper proposes a novel network event correlation approach based on set covering. Firstly, we present a triple-layer belief network FPM by considering alarm loss and spurious faults into the bipartite graph FPM which used by IHU algorithm, then present the measurement of fault hypothesis. On basic of this model, we present a recursive algorithm for creating fault hypotheses. Compared with the IHU-based approach, the RHC algorithm can get all hypotheses which satisfy the relevance and non-redundant indexes during the hypotheses creating procedure. Simulations show the RHC algorithm is more accuracy than the IHU algorithm, especially in the circumstances with alarm losses and spurious alarms.

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958734

2020-03-12

Abstract:An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

Cryptography and Security,Networking and Internet Architecture