Application of the PageRank Algorithm to Alarm Graphs

The task of separating genuine attacks from false alarms in large intrusion detection infrastructures is extremely difficult. The number of alarms received in such environments can easily enter into the millions of alerts per day. The overwhelming noise created by these alarms can cause genuine attacks to go unnoticed. As means of highlighting these attacks, we introduce a host ranking technique utilizing Alarm Graphs. Rather than enumerate all potential attack paths as in Attack Graphs, we build and analyze graphs based on the alarms generated by the intrusion detection sensors installed on a network. Given that the alarms are predominantly false positives, the challenge is to identify, separate, and ideally predict future attacks. In this paper, we propose a novel approach to tackle this problem based on the PageRank algorithm. By elevating the rank of known attackers and victims we are able to observe the effect that these hosts have on the other nodes in the Alarm Graph. Using this information we are able to discover previously overlooked attacks, as well as defend against future intrusions.

[1]  Gregory Piatetsky-Shapiro,et al.  The KDD process for extracting useful knowledge from volumes of data , 1996, CACM.

[2]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[3]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[4]  Jon M. Kleinberg,et al.  Mining the Web's Link Structure , 1999, Computer.

[5]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[6]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[7]  Prabhakar Raghavan,et al.  Mining the Link Structure of the World Wide Web , 1998 .

[8]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[9]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[10]  Duminda Wijesekera,et al.  Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt , 2002, Applications of Data Mining in Computer Security.

[11]  Michael Lyle Artz,et al.  NetSPA : a Network Security Planning Architecture , 2002 .

[12]  Salvatore J. Stolfo,et al.  Adaptive Model Generation , 2002, Applications of Data Mining in Computer Security.

[13]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[15]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[16]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[17]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[18]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[19]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[20]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[21]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[22]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[23]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[24]  G. Grimmett,et al.  Probability and random processes , 2002 .

[25]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[26]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[27]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[28]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[29]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[30]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.