Alert Correlation through Results Tracing back to Reasons

IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

[1]  Dong Li,et al.  Attack scenario construction with a new sequential mining technique , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).

[2]  Vivek Kumar Sehgal,et al.  On Path-length and Routing-tag Algorithm for Hybrid Irregular Multi-stage Interconnection Networks , 2007 .

[3]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[4]  Shifu Chen,et al.  Correlating Multi-Step Attack and Constructing Attack Scenarios Based on Attack Pattern Modeling , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[5]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[6]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[7]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[8]  L. F. Wilson,et al.  Analysis of distributed intrusion detection systems using Bayesian methods , 2002, Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference (Cat. No.02CH37326).

[9]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[10]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[11]  Hermann de Meer,et al.  A Novelty-Driven Approach to Intrusion Alert Correlation Based on Distributed Hash Tables , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[12]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[13]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[14]  Ali A. Ghorbani,et al.  Critical Episode Mining in Intrusion Detection Alerts , 2008, 6th Annual Communication Networks and Services Research Conference (cnsr 2008).

[15]  Jie Lei,et al.  Real-Time Correlation of Network Security Alerts , 2007, IEEE International Conference on e-Business Engineering (ICEBE'07).

[16]  Gong Jian,et al.  Intrusion Alert Correlation based on D-S Evidence Theory , 2007, 2007 Second International Conference on Communications and Networking in China.

[17]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.