Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Yijie WANG,Li CHENG,Xingkong MA

DOI: https://doi.org/10.11887/j.cn.201705021

2017-01-01

Abstract:The rapid development of the Internet also causes more and more network threats.How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues.The alert-correlation-based network threat detection technique is becoming the research hotspot,which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario.Starting from the features of network threats and security environment,the requirements and classification of network threat detection were introduced.Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail.The key module of the model,alert correlation method,and the fundamentals and features of different kinds of typical algorithm were studied in detail,including causal-relation-based method,case-based method,similarity-based method and data-mining-based method.Furthermore,three kinds of representative detection system architectures were discussed with practical instances,namely centralized architecture,hierarchical architecture and distributed architecture.Finally,based on the analysis of recent research work,the future work is discussed and outlined.

JIANG Shao-hua,YAO Juan,HU Hua-ping

DOI: https://doi.org/10.3969/j.issn.1006-2475.2006.06.029

2006-01-01

Abstract:Nowadays,the present IDS has too many false negatives and false positives,and the level of the alert is too low.So it cannot reflect the security situation of the whole network accurately and in time.The administrators have to deal with a lot of raw alerts to find the possible security threat and the source of attack just as look for a needle in a bottle of hay.In this paper,the shortages of the present IDS are presented firstly.Then,a definition of alert correlation is given.The production of this paper has been applied into "the Network Security Monitor and the Warning Technology",which will do a great deal of good for the design of alert correlation system in distributed IDS.

Jin-ze PEI,Hua-ping HU,Chen-lin HUANG

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.03.033

2006-01-01

Abstract:Conventional network security protection is facing a great challenge of coordinated and distributed attack,so distributed intrusion detection technology is required.Fusing multi-kinds of IDS alerts can effectively improve warning veracity.Based on annotation to alert correlation definition renewedly,the paper designed and implemented layered correlation model with real-time response mechanism.The model is much adaptive,each layer of which can do its work independently.At last,the function of fusing alert information is implemented,which can resolve problems of management of alerts,false negative and false positive better and can warn according to attack intention identified.

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.

Yi Ping,Xing Hongkai,Wu Yue,Cai Jiwen

DOI: https://doi.org/10.1109/cmc.2009.327

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Wen Ying,Hu Wei,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.08.047

2006-01-01

Abstract:Intrusion detection is an important measure to safeguard the network security.Due to the fact that current ID systems have too many alerts and lack of inter-cooperation,the paper presents an alerts process system model based on alert fusion and correlation.The model has the advantage of low redundant alert number and high intrusion detection performance.In addition,it can help anticipate the real intention of attackers￡?thus greatly improve the system's efficiency as well as further enhance the robustness of the network.

Jia-chun LI,Zhi-tang Li

2004-01-01

Abstract:In order to reduce duplicated or incomplete or imperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Zhihong Tian,Yu Jiang,Jian Ren

2007-01-01

Abstract:Current Intrusion Detection Systems (IDS) typically create a large number of false alerts that are either not related to malicious activity or not representative of a successful attack. This paper describes a method that correlates IDS alerts with Chi-square statistical profile used to help the operator in alert processing. This approach verifies each alert accordingto the host anomaly traffic based on Chi-square technique. When a suspect packet is indicative of an attack on an existing network service and an alert is generated, the traffic data of that host will be further analyzed. We can verify that the packet do lead to a successful break-in if and only if the traffic appears anomaly. The experimental results have shown that the proposed technique is highly effective in verifying the success of intrusion attempts.

Zhang Yue,Wang Yan,Li Bin,Zhang Hongli

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.071

2006-01-01

Abstract:Network attack techniques become more and more complexity, IDS produce a large of alerts, and falut positive is high, availability is low. So, we introduce combinative algorithem based on aggregation analysis, correlation, and CPN method to accomplish the attacks correlation, from macroscope and microscope view we rebuild attack scenario, impore IDS's usabiliy.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Jie Ma,Zhitang Li,Weiming Li

DOI: https://doi.org/10.1109/FSKD.2008.522

2008-01-01

Abstract:Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

ZHANG Xiang,HU Chang-zhen,YIN Wei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.04.044

2007-01-01

Abstract:The presentation is about network threat analysis accord to alert information of IDS and other network security devices in event correlation method.First some basic methods of event correlation are introduced,then a structure of event correlation analysis engine is discussed.Test result of demo system proves that applying event correlation method on the threat analysis decreases the false positive and redundant alarm from network security devices.

MEI Hai-bin,GONG Jian

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.04.017

2011-01-01

Abstract:To overcome the shortcoming of current alert correlation methods which didn't consider the confidence of IDS,an alert correlation method based on alerts confidence using the evidence theory was presented.Each alert was regarded as a piece of evidence of a network attack.Then multiple pieces of evidence were combined by the Dempster's combina-tion rule,and used to infer whether the attack corresponding to the alerts took place.As a result,the ambiguity and con-fliction in alerts were eliminated,achieving the goal of improving alerts quality.Experimental results on the DARPA 2000 IDS test dataset show that the proposed method can efficiently decrease the false alert rate and reduce more than 60% of the alerts.

Gianni Tedesco,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0804.1281

2008-04-08

Cryptography and Security

Abstract:Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.