Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Seyed Ali Mirheidari,Sajjad Arshad,Rasool Jalili

DOI: https://doi.org/10.1007/978-3-319-03584-0_14

2018-11-02

Abstract:Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Cryptography and Security

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958734

2020-03-12

Abstract:An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

Cryptography and Security,Networking and Internet Architecture

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.1007/978-3-540-89862-7_16

2008-01-01

SSRN Electronic Journal

Abstract:The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

Hashim Albasheer,Maheyzah Md Siraj,Azath Mubarakali,Omer Elsier Tayfour,Sayeed Salih,Mosab Hamdan,Suleman Khan,Anazida Zainal,Sameer Kamarudeen

DOI: https://doi.org/10.3390/s22041494

IF: 3.9

2022-02-15

Sensors

Abstract:Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Zhongmin Wang,Rui Gao,Cong Gao,Yanping Chen,Fengwei Wang,Gao, Rui

DOI: https://doi.org/10.1007/s11277-024-10930-w

IF: 2.017

2024-03-21

Wireless Personal Communications

Abstract:Wireless sensor devices are affected by internal constraints and the external environment, generating abnormal data. Currently, many anomaly detection schemes ignore the correlation between screening nodes, wasting resources due to excessive communication. Therefore, this paper proposes a distributed anomaly detection scheme based on adaptive grouping using the correlation between nodes in wireless sensor networks. Limiting the scope of collaboration between nodes can reduce the waste of resources due to excessive communication. Since the computing resources of sensor nodes are limited, an edge-cloud framework is established. The scheme uses Spatio-temporal correlation and graph theory for wireless sensor networks to determine node groups with solid correlations on the cloud server. Based on the grouping results, anomaly detection is implemented locally. A Bayesian network model is constructed at the node within the group, and outlier detection is realized by inference on nodes. A correlation consistency evaluation method is proposed to improve anomaly detection accuracy to check the data consistency on the cluster head. The proposed scheme is verified by a generated data set and the real data of Intel Berkeley Research Lab. The effectiveness of the proposed method is verified by comparing it with three existing algorithms. Experimental results show that the method improves detection accuracy and reduces false detection.

telecommunications

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

Christian Moya,Junho Hong,Jiankang Wang

DOI: https://doi.org/10.48550/arXiv.1806.03544

2018-06-09

Cryptography and Security

Abstract:The future power grid will be characterized by the pervasive use of heterogeneous and non-proprietary information and communication technology, which exposes the power grid to a broad scope of cyber-attacks. In particular, Monitoring-Control Attacks (MCA) --i.e., attacks in which adversaries manipulate control decisions by fabricating measurement signals in the feedback loop-- are highly threatening. This is because, MCAs are (i) more likely to happen with greater attack surface and lower cost, (ii) difficult to detect by hiding in measurement signals, and (iii) capable of inflicting severe consequences by coordinating attack resources. To defend against MCAs, we have developed a semantic analysis framework for Intrusion Detection Systems (IDS) in power grids. The framework consists of two parts running in parallel: a Correlation Index Generator (CIG), which indexes correlated MCAs, and a Correlation Knowledge-Base~(CKB), which is updated aperiodically with attacks' Correlation Indices (CI). The framework has the advantage of detecting MCAs and estimating attack consequences with promising runtime and detection accuracy. To evaluate the performance of the framework, we computed its false alarm rates under different attack scenarios.

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.