Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Yi Ping,Xing Hongkai,Wu Yue,Cai Jiwen

DOI: https://doi.org/10.1109/cmc.2009.327

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Jin-ze PEI,Hua-ping HU,Chen-lin HUANG

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.03.033

2006-01-01

Abstract:Conventional network security protection is facing a great challenge of coordinated and distributed attack,so distributed intrusion detection technology is required.Fusing multi-kinds of IDS alerts can effectively improve warning veracity.Based on annotation to alert correlation definition renewedly,the paper designed and implemented layered correlation model with real-time response mechanism.The model is much adaptive,each layer of which can do its work independently.At last,the function of fusing alert information is implemented,which can resolve problems of management of alerts,false negative and false positive better and can warn according to attack intention identified.

Jie Ma,Zhitang Li,Weiming Li

DOI: https://doi.org/10.1109/FSKD.2008.522

2008-01-01

Abstract:Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.

Jia-chun LI,Zhi-tang Li

2004-01-01

Abstract:In order to reduce duplicated or incomplete or imperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.

Zhang Yue,Wang Yan,Li Bin,Zhang Hongli

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.071

2006-01-01

Abstract:Network attack techniques become more and more complexity, IDS produce a large of alerts, and falut positive is high, availability is low. So, we introduce combinative algorithem based on aggregation analysis, correlation, and CPN method to accomplish the attacks correlation, from macroscope and microscope view we rebuild attack scenario, impore IDS's usabiliy.

Wen Ying,Hu Wei,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.08.047

2006-01-01

Abstract:Intrusion detection is an important measure to safeguard the network security.Due to the fact that current ID systems have too many alerts and lack of inter-cooperation,the paper presents an alerts process system model based on alert fusion and correlation.The model has the advantage of low redundant alert number and high intrusion detection performance.In addition,it can help anticipate the real intention of attackers￡?thus greatly improve the system's efficiency as well as further enhance the robustness of the network.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

Zhihong Tian,Yu Jiang,Jian Ren

2007-01-01

Abstract:Current Intrusion Detection Systems (IDS) typically create a large number of false alerts that are either not related to malicious activity or not representative of a successful attack. This paper describes a method that correlates IDS alerts with Chi-square statistical profile used to help the operator in alert processing. This approach verifies each alert accordingto the host anomaly traffic based on Chi-square technique. When a suspect packet is indicative of an attack on an existing network service and an alert is generated, the traffic data of that host will be further analyzed. We can verify that the packet do lead to a successful break-in if and only if the traffic appears anomaly. The experimental results have shown that the proposed technique is highly effective in verifying the success of intrusion attempts.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Nurbol,CHAI Sheng,LI Hong-wei,HU Liang

2011-01-01

Abstract:The alert correlation,choquet fuzzy integral and fuzzy cognitive maps was analyzed,the correlation of IDS alerts based choquet fuzzy integral was proposed and the correlation engine of intrusion detection system was designed.Though experiences of the DRDOS attack and LLDOS attack,it is proved that the alert correlation in the paper could correlate the alerts with high feasibility.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Yijie WANG,Li CHENG,Xingkong MA

DOI: https://doi.org/10.11887/j.cn.201705021

2017-01-01

Abstract:The rapid development of the Internet also causes more and more network threats.How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues.The alert-correlation-based network threat detection technique is becoming the research hotspot,which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario.Starting from the features of network threats and security environment,the requirements and classification of network threat detection were introduced.Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail.The key module of the model,alert correlation method,and the fundamentals and features of different kinds of typical algorithm were studied in detail,including causal-relation-based method,case-based method,similarity-based method and data-mining-based method.Furthermore,three kinds of representative detection system architectures were discussed with practical instances,namely centralized architecture,hierarchical architecture and distributed architecture.Finally,based on the analysis of recent research work,the future work is discussed and outlined.