论文信息 - Adapting Query Optimization Techniques for Efficient Alert Correlation

Adapting Query Optimization Techniques for Efficient Alert Correlation

Intrusion alert correlation is the process to identify high-level attack scenarios by reasoning about low-level alerts raised by intrusion detection systems (IDSs). The efficiency of intrusion alert correlation is critical in enabling interactive analysis of intrusion alerts as well as prompt responses to attacks. This paper presents an experimental study aimed at adapting main memory index structures (e.g., T Trees, Linear Hashing) and database query optimization techniques (e.g., nested loop join, sort join) for efficient correlation of intensive alerts. By taking advantage of the characteristics of the alert correlation process, this paper presents three techniques named hyper-alert container, two-level index, and sort correlation. This paper then reports a series of experiments designed to evaluate the effectiveness of these techniques. These experiments demonstrate that (1) hyper-alert containers improve the efficiency of order-preserving index structures (e.g., T Trees), with which an insertion operation involves search, (2) two-level index improves the efficiency of all index structures, (3) a two-level index structure combining Chained Bucket Hashing and Linear Hashing is the most efficient for streamed alerts with and without memory constraint, and (4) sort correlation with heap sort algorithm is the most efficient for alert correlation in batch.

Peng Ning | Dingbang Xu | P. Ning | Dingbang Xu

[1] Steven J. Templeton,et al. A requires/provides model for computer attacks , 2001, NSPW '00.

[2] Jennifer Widom,et al. Database System Implementation , 2000 .

[3] Robert K. Cunningham,et al. Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[4] Douglas Comer,et al. Ubiquitous B-Tree , 1979, CSUR.

[5] Ravi Krishnamurthy,et al. Design of a Memory Resident DBMS , 1985, IEEE Computer Society International Conference.

[6] Donald Ervin Knuth,et al. The Art of Computer Programming , 1968 .

[7] Witold Litwin,et al. Linear Hashing: A new Algorithm for Files and Tables Addressing , 1980, ICOD.

[8] Alfonso Valdes,et al. Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[9] Ronald L. Rivest,et al. Introduction to Algorithms , 1990 .

[10] Stuart Staniford-Chen,et al. Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[11] Peng Ning,et al. Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[12] Peng Ning,et al. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation , 2002 .

[13] Alfred V. Aho,et al. The Design and Analysis of Computer Algorithms , 1974 .

[14] Frédéric Cuppens,et al. Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.