Mining of Attack Models in IDS Alerts from Network Backbone by a Two-stage Clustering Method

There is a big difference between the IDS alerts from the network backbone and those from the lab. But there is little work has been done to mine attack models in IDS alerts from the network backbone. The contributions of this paper are three-fold. First, we propose an alert reduction method based on statistical redundancy (RMSR) to reduce the alert redundancy. Second, we propose a two-stage clustering algorithm to analyze the spatial and temporal relation of the network intrusion behaviors' alert sequence. Third, we propose a novel approach, Loose Longest Common Subsequence (LLCS), to extract the attack models of network intrusion behaviors. The experiment result shows that the reduction approach reduces the IDS alerts redundancy efficiently, and the attack models generated have a strong logical relation.

[1]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[2]  Li Aiping,et al.  A multi-step attack pattern discovery method based on graph mining , 2012, Proceedings of 2012 2nd International Conference on Computer Science and Network Technology.

[3]  Xi Peng,et al.  Using Cluster and Correlation to Construct Attack Scenarios , 2008, 2008 International Conference on Cyberworlds.

[4]  Xuejiao Liu,et al.  Alert Fusion Based on Cluster and Correlation Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[5]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[6]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[7]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[8]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[10]  Robin Sommer,et al.  A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence , 2012, RAID.

[11]  Bofeng Zhang,et al.  A Framework of Event-Driven Detection System for Intricate Network Threats , 2013 .

[12]  Ming Xu,et al.  An IDS Alert Fusion Approach Based on Happened Before Relation , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[13]  Jing Liu,et al.  Concept Index for Document Retrieval with Peer-to-Peer Network , 2007 .

[14]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[15]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[16]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[17]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[18]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[19]  Debao Xiao,et al.  An Alert Correlation Method Based on Improved Cluster Algorithm , 2008, 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application.

[20]  A. Siraj,et al.  Multi-level alert clustering for intrusion detection sensor data , 2005, NAFIPS 2005 - 2005 Annual Meeting of the North American Fuzzy Information Processing Society.

[21]  Debao Xiao,et al.  Alert Verification Based on Attack Classification in Collaborative Intrusion Detection , 2007 .

[22]  Robert L. Grossman,et al.  Experimental Studies Using Median Polish Procedure to Reduce Alarm Rates in Data Cubes of Intrusion Data , 2004, ISI.

[23]  Zhitang Li,et al.  Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies , 2008, 2008 Fifth International Conference on Fuzzy Systems and Knowledge Discovery.

[24]  Wanlei Zhou,et al.  A Lightweight Intrusion Alert Fusion System , 2010, 2010 IEEE 12th International Conference on High Performance Computing and Communications (HPCC).