Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

SHI Liang,WANG Beizhan,YAO Junfeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.14.048

2006-01-01

Abstract:This paper presents an alerts association analysis technology based on intrusion intention in order to overcome the problems exited in today's alerts association analysis technologies.This method not only inherits the merits of the alerts association analysis technology based on intrusion strategy such as foreseeable,but also improves the adaptability of the intrusion strategy model.Furthermore,it gives the“skipping step”analysis mechanism and its improvement on the comprehension ability of the intrusion detection system.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Wang Li,Li Zhi-tang,Lei Jie

DOI: https://doi.org/10.1109/INM.2007.374834

2007-01-01

Abstract:Huge volume of security data from different security devices can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In this paper, we proposed a new method of mining multi-stage attack behaviors pattern in order to recognize attacker's high-level strategies and predict upcoming attack intentions. We apply a reformative Apriori algorithm to mine frequent attack sequence patterns from history alert data. We use correlativity between two contextual elements in the attack sequence to correlate attack behaviors and identify potential attack intentions. The idea is easy to implement and it can be used to detect novel multi-stage attack strategies compared with other techniques. Experiments show that our approach can effectively learn high level attack strategies and can accordingly predict next possible attack behavior.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Yu-Xin Ding

DOI: https://doi.org/10.1109/icmlc.2007.4370714

2007-01-01

Abstract:Traditional intrusion detection systems only focus on low-level attacks, and only generate isolated alerts. But in practice an attack is made up of a sequence of logical scenarios. As a result, it is difficult for human to understand alerts and take appropriate actions. This paper presents a practical technique to address this issue. The paper proposes a rule-based hierarchical model to construct attack scenarios, and use expert system (CLIPS) as the engine to detect scenarios. In this paper a concrete design method is discussed and applied to analyze snort alerts. the proposed approach can detect attack scenarios in real time, the rules only describe the properties of attacks in a high level and avoid to describe the concrete network or host information, this guarantee the generality of this method, we adopt the known general expert system as the detection engine, so the implementation become very easy.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1016/j.cose.2008.05.005

IF: 5.105

2008-01-01

Computers & Security

Abstract:Most network administrators have got unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of attack graphs to clarify their causal relationship. However, there still lacks an efficient and operational method to generate attack graphs tailored to alert causal correlation. In this paper, we propose a kind of ''one-step worst'' attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a principle is given out to correlate security alerts into scenarios. To prove its feasibility, we implemented a prototype system which can efficiently divide real-time alert streams into plausible attack scenarios.

LILongying,LI Jinku,MAJianfeng,JIANGQi

DOI: https://doi.org/10.3969/j.issn.1001-2400.2014.05.015

2014-01-01

Abstract:The causal relation based alert correlation approach causes split scenario graphs and cannot process massive alerts in time.To address this issue,a comprehensive analysis approach of real-time alerts with attack strategy graphs is proposed.First,it gets rid of the splitting of the attack scenario graph by introducing hypothesizing alerts to the alert correlation process.Second,it leverages a novel sliding window mechanism,which maintains a window for each type of attacks and determines the window’s size according to both the time and number of the alerts.This new mechanism only introduces linear time complexity without sacrificing effectiveness.Third,the approach is extended to a comprehensive system to reconstruct attack scenarios,predict future alerts and fuse analytical results.Evaluation results indicate that our approach is effective and efficient.

Yi Ping,Xing Hongkai,Wu Yue,Cai Jiwen

DOI: https://doi.org/10.1109/cmc.2009.327

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

TIAN Zhi-hong,ZHANG Wei-zhe,ZHANG Yong-zheng,ZHANG Hong-li,LI Yang,JIANG Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.013

2007-01-01

Abstract:To construct attack scenarios and predict intrusion intents automatically,a real-time alert correlation approach based on capability transition model was proposed.By highly abstracting the reasoning evidences,the process complexity is effectively reduced.Experiment results on the DARPA2000 IDS test dataset indicate that the method is effective and efficient.

Siying He,Mi Wen,Xiumin Li,Zhou Su

DOI: https://doi.org/10.1109/ICCC57788.2023.10233417

2023-01-01

Abstract:With the complexity and variability of cyber attacks increasing, current approaches for constructing attack scenarios often overlook the continuity of attack behaviors. These approaches lead to challenges in dynamically reconstructing the complete attack path. Additionally, many false alerts significantly reduce the accuracy of restoring an attack scenario. Against these issues, this paper proposes an approach for attack scenario construction based on a dynamic attack path graph. First, this paper proposes an alert truth rate calculating approach which utilizes mutual information. And the paper constructs the attack path graph by considering multiple dimensions, including calculated alert features and alert truth rate. In addition, an attack chain generation algorithm is proposed to restore the dynamic and complete attack scenario. Secondly, in order to cope with the changing network, the paper introduces a dynamic probabilistic update algorithm that periodically adjusts the attack path as time progresses. Finally, Experimental results show that the proposed approach can recover all attack processes in the dataset, with an algorithmic complexity of O (M × N).

Safaa O. Al-Mamory,Zhai Jianhong,Zhang Hongli

2008-01-01

Abstract:Building attack scenario is one of the most important aspects in network security. This paper proposed a system which collects intrusion alerts, clusters them as sub-attacks using alerts abstraction, aggregates the similar sub-attacks, and then correlates and generates correlation graphs. The scenarios were represented by alert classes instead of alerts themselves so as to reduce the required rules and have the ability of detecting new variations of attacks. The proposed system is capable of passing some of the missed attacks. To evaluate system effectiveness, it was tested with different datasets which contain multi-step attacks. Compressed and easily understandable correlation graphs which reflect attack scenarios were generated. The proposed system can correlate related alerts, uncover the attack strategies, and detect new variations of attacks.

Donghai Tian,Hu Changzhen,Yang Qi,Wang Jianqiao

DOI: https://doi.org/10.1109/IAS.2009.26

2009-01-01

Abstract:Alert correlation is a promising technique in intrusion detection. It takes the alerts produced by intrusion detection systems and produces compact reports which provide a more succinct and high-level view of occurring or attempted intrusions and highly improve security expert’s work efficiency. Traditional alert correlation system adopts a centralized architecture which can be easily over flooded by the raw alarms. To address this issue, a distributed alert correlation model based on hierarchical architecture is proposed. This model greatly improves the performance of alert correlation through integrating three novel methods. The experiments show effectiveness of this alert correlation model on 2000 DARPA intrusion detection scenario specific datasets.

Jin-ze PEI,Hua-ping HU,Chen-lin HUANG

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.03.033

2006-01-01

Abstract:Conventional network security protection is facing a great challenge of coordinated and distributed attack,so distributed intrusion detection technology is required.Fusing multi-kinds of IDS alerts can effectively improve warning veracity.Based on annotation to alert correlation definition renewedly,the paper designed and implemented layered correlation model with real-time response mechanism.The model is much adaptive,each layer of which can do its work independently.At last,the function of fusing alert information is implemented,which can resolve problems of management of alerts,false negative and false positive better and can warn according to attack intention identified.

ZAN Xin,ZHENG Qing-hua,FAN Yu-qian,HAN Jiu-qiang

2007-01-01

Journal of Computer Applications

Abstract:With the widespread deployment of Intrusion Detection Systems (IDS) in network security community, intrusion alert learning and analysis has increasingly become an active research area. Due to some problems such as alert flooding and lack of knowledge about attack scenario etc, a comprehensive attack case learning system composed of two learning phases: similar alerts aggregation and typical attack instance learning was presented. Firstly, an improved density-based clustering algorithm was introduced to aggregate huge volume of similar alerts to numbers of alert clusters. Secondly, some representative alerts were chosen to represent the overall alert clusters according to some reduction rules. Eventually, sequence pattern mining approach is used to mine frequent intrusive incidents. Furthermore, an evaluation approach based on execution ordering of attacks was proposed to identify valuable attack instances from frequent sequences of intrusive incidents. A real intrusion alert dataset was used to test our learning system. The experimental results show that our learning system can not only effectively reduce the large amount of alerts but also correctly learn the valuable attack cases.

Taqwa Ahmed Alhaj,Maheyzah Md Siraj,Anazida Zainal,Inshirah Idris,Anjum Nazir,Fatin Elhaj,Tasneem Darwish

DOI: https://doi.org/10.48550/arXiv.2110.08662

2021-10-17

Abstract:A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of low-level alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to the infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of datasets, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

Cryptography and Security

Zhang Yue,Wang Yan,Li Bin,Zhang Hongli

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.071

2006-01-01

Abstract:Network attack techniques become more and more complexity, IDS produce a large of alerts, and falut positive is high, availability is low. So, we introduce combinative algorithem based on aggregation analysis, correlation, and CPN method to accomplish the attacks correlation, from macroscope and microscope view we rebuild attack scenario, impore IDS's usabiliy.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.