An Intrusion Alert Correlator Based on Prerequisites of Intrusions

Current intrusion detection systems (IDSs) usually focus on detecting low-level attacks and/or anomalies; none of them can capture the logical steps or attack strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is our first step to address the aforementioned problem. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. Based on the prerequisite and the consequence of each type of attacks, our intrusion alert correlator correlates the alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. As a result, our intrusion alert correlator is able to correlate related alerts and uncover the attack strategies behind sequences of attacks. As an application based on relational database management system (RDBMS), the intrusion alert correlator takes advantage of the functionalities of RDBMS and can be easily integrated with other RDBMS-based intrusion analysis tools (e.g., ISS''s RealSecure). Our experiments with the DARPA 2000 intrusion detection evaluation datasets have demonstrated the great potential of our approach in reducing false alerts and discovering high-level attack strategies.