Practical IDS alert correlation in the face of dynamic threats

A significant challenge in applying IDS alert correlation in today’s dynamic threat environment is the labor and experti s needed in constructing the correlation model, or the knowle dge base, for the correlation process. New IDS signatures captu ring emerging threats are generated on a daily basis, and the atta ck scenarios each captured activity may be involved in are also multitude. Thus it becomes hard to build and maintain IDS ale rt correlation models based on a set of known scenarios. Learni ng IDS correlation models face the same challenge caused by the dynamism of cyber threats, compounded by the inherent difficul ty in applying learning algorithms in an adversarial environm e t. We propose a new method for conducting alert correlation bas ed on a simple and direct semantic model for IDS alerts. The correlation model is separate from the semantic model and ca be constructed on various granularities. The semantic mode l only maps an alert to its potential meanings, without any referen ce to what types of attack scenarios the activity may be involved i n. We show that such a correlation model can effectively capture a ttack scenarios from data sets that are not used at all in the model construction process, illustrating the power of such corre lation methods in detecting novel, new attack scenarios. We rigoro usly evaluate our prototype on a number of publicly available dat a sets and a production system, and the result shows that our correl ation engine can correctly capture almost all the attack scenario s in the data sets.

[1]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[2]  D. Warren,et al.  Xsb -a System for Eeciently Computing Well Founded Semantics , 1997 .

[3]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[5]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[6]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[7]  Giovanni Vigna Teaching Network Security Through Live Exercises , 2003, World Conference on Information Security Education.

[8]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[10]  Xinming Ou,et al.  An Empirical Approach to Modeling Uncertainty in Intrusion Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[11]  Ali A. Ghorbani,et al.  An Online Adaptive Approach to Alert Correlation , 2010, DIMVA.