DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

Seyed Ali Mirheidari,Sajjad Arshad,Rasool Jalili

DOI: https://doi.org/10.1007/978-3-319-03584-0_14

2018-11-02

Abstract:Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Cryptography and Security

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.1007/978-3-540-89862-7_16

2008-01-01

SSRN Electronic Journal

Abstract:The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Zhongmin Wang,Rui Gao,Cong Gao,Yanping Chen,Fengwei Wang,Gao, Rui

DOI: https://doi.org/10.1007/s11277-024-10930-w

IF: 2.017

2024-03-21

Wireless Personal Communications

Abstract:Wireless sensor devices are affected by internal constraints and the external environment, generating abnormal data. Currently, many anomaly detection schemes ignore the correlation between screening nodes, wasting resources due to excessive communication. Therefore, this paper proposes a distributed anomaly detection scheme based on adaptive grouping using the correlation between nodes in wireless sensor networks. Limiting the scope of collaboration between nodes can reduce the waste of resources due to excessive communication. Since the computing resources of sensor nodes are limited, an edge-cloud framework is established. The scheme uses Spatio-temporal correlation and graph theory for wireless sensor networks to determine node groups with solid correlations on the cloud server. Based on the grouping results, anomaly detection is implemented locally. A Bayesian network model is constructed at the node within the group, and outlier detection is realized by inference on nodes. A correlation consistency evaluation method is proposed to improve anomaly detection accuracy to check the data consistency on the cluster head. The proposed scheme is verified by a generated data set and the real data of Intel Berkeley Research Lab. The effectiveness of the proposed method is verified by comparing it with three existing algorithms. Experimental results show that the method improves detection accuracy and reduces false detection.

telecommunications

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Yuan LI,Zhanpeng ZHANG,Mingyuan XU,Bingzhen CHEN,Jinsong ZHAO

DOI: https://doi.org/10.11949/j.issn.0438-1157.20150803

2015-01-01

Abstract:Alarm correlation mining is a key part of alarm management which plays an important role for chemical process safety. According to the traditional alarm correlation mining algorithms which is based on hierarchical clustering schemes, this paper proposed a non-regular alarm correlation calculation method to make up the deficiency that the traditional algorithms have, in dealing with the situation of delayed time change and asymmetry of alarms. Moreover, the value of alarm correlation was determined in the form of probability, which made the alarm correlation among different tags comparable. Furthermore, case studies based on simulation and real industrial process data were performed to demonstrate the effectiveness of the proposed methods in mining alarm correlation.

David Lanoe,Michel Hurfin,Eric Totel

DOI: https://doi.org/10.1109/srds.2018.00014

2018-10-01

Abstract:In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automata-based correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except $k$ of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.

Qun-Xiong Zhu,Yi Luo,Yan-Lin He

DOI: https://doi.org/10.1021/acs.iecr.9b02963

2019-11-04

Abstract:Process monitoring and alarm systems play an important role in production safety. Distributed alarm systems have been utilized to effectively reduce the burden of data calculations, contributing to fast-track root causes of alarms. However, the traditional distributed contribution analysis method cannot be well applied to online monitoring in time. In addition, the correlation-based variable reconstruction method cannot accurately explain the actual process. To solve this problem, a novel distributed alarm analysis model based on multicorrelation blocks and an improved contribution graph is proposed. The proposed multicorrelation blocks are based on partial least squares. The computational burden is reduced, but accuracy is ensured by multicorrelation block partial least squares. In addition, an improved alarm analysis strategy using the contribution value is adopted, so that the results of the distributed contribution analysis method can be used for essential variable analysis online. Simulation results of a case study using the Tennessee Eastman process verify the effectiveness and practicability of the proposed method and indicate that the online analysis performance in terms of actual industrial process monitoring and root cause analysis is improved.

engineering, chemical

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958734

2020-03-12

Abstract:An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

Cryptography and Security,Networking and Internet Architecture

Hashim Albasheer,Maheyzah Md Siraj,Azath Mubarakali,Omer Elsier Tayfour,Sayeed Salih,Mosab Hamdan,Suleman Khan,Anazida Zainal,Sameer Kamarudeen

DOI: https://doi.org/10.3390/s22041494

IF: 3.9

2022-02-15

Sensors

Abstract:Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation