Alert correlation and prediction using data mining and HMM

A B S T R A C T Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high trac networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which extracts useful and high-level alerts, and helps to make timely decisions when a security breach occurs. In this paper, we propose an alert correlation system consisting of two major components; rst, we introduce an Attack Scenario Extraction Algorithm (ASEA), which mines the stream of alerts for attack scenarios. The ASEA has a relatively good performance, both in speed and memory consumption. Contrary to previous approaches, the ASEA combines both prior knowledge as well as statistical relationships. Second, we propose a Hidden Markov Model (HMM)based correlation method of intrusion alerts,

[1]  C. Raymond Perrault,et al.  Beyond question-answering(interactive natural language systems) , 1981 .

[2]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[3]  Jie Lei,et al.  A novel algorithm SF for mining attack scenarios model , 2006, 2006 IEEE International Conference on e-Business Engineering (ICEBE'06).

[4]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Ian H. Witten,et al.  Text Compression , 1990, 125 Problems in Text Algorithms.

[6]  Deborah A. Frincke,et al.  Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net , 2007, Comput. Networks.

[7]  Shanchieh Jay Yang,et al.  Projecting Cyberattacks Through Variable-Length Markov Models , 2008, IEEE Transactions on Information Forensics and Security.

[8]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[9]  Kyeong Ja Jeong,et al.  An Alert Data Mining Framework for Network-Based Intrusion Detection System , 2005, WISA.

[10]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[11]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[12]  Debao Xiao,et al.  An Alert Correlation Method Based on Improved Cluster Algorithm , 2008, 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application.

[13]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[14]  Andrzej Ehrenfeucht,et al.  A Pseudorandom Sequence-How Random Is It? , 1992 .

[15]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[16]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[17]  Jitender S. Deogun,et al.  Sequential Association Rule Mining with Time Lags , 2004, Journal of Intelligent Information Systems.

[18]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[19]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[20]  Jian Gong,et al.  An Intrusion Plan Recognition Algorithm Based on Max-1-Connected Causal Networks , 2007, International Conference on Computational Science.

[21]  Hongli Zhang,et al.  IDS alerts correlation using grammar-based approach , 2009, Journal in Computer Virology.

[22]  C. Raymond Perrault,et al.  Beyond Question-Answering. , 1981 .

[23]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[24]  Nianjun Liu,et al.  An Embedded Bayesian Network Hidden Markov Model for Digital Forensics , 2006, ISI.

[25]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[26]  Do-hyeon Lee,et al.  Multi-Stage Intrusion Detection System Using Hidden Markov Model Algorithm , 2008, 2008 International Conference on Information Science and Security (ICISS 2008).

[27]  Peng Ning,et al.  Reasoning about complementary intrusion evidence , 2004, 20th Annual Computer Security Applications Conference.

[28]  Nathalie Japkowicz,et al.  Using Unsupervised Learning for Network Alert Correlation , 2008, Canadian Conference on AI.