GAC: graph-based alert correlation for the detection of distributed multi-step attacks

Monitoring tools like Intrusion Detection Systems (IDS), Firewalls, or Honeypots are a second line of defense in the face of an increasing number of distributed, increasingly sophisticated, and targeted attacks. A huge amount of security alerts needs to be analysed and correlated to gather the complete picture of an attack. However, most conventional IDS fall short in correlating alerts that have different sources, so that many distributed attacks remain completely unnoticed. In this paper, we propose Graph-based Alert Correlation (GAC), a novel correlation algorithm that isolates attacks, identifies attack scenarios, and assembles multi-stage attacks from huge alert sets. Our evaluation results on artificial and real-world data indicates that GAC is robust against false positives, can detect distributed attacks, and scales with an increasing number of alerts.

[1]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[2]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[3]  Max Mühlhäuser,et al.  SkipMon: A locality-aware Collaborative Intrusion Detection System , 2015, 2015 IEEE 34th International Performance Computing and Communications Conference (IPCCC).

[4]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[5]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[6]  Christoph Meinel,et al.  A New Alert Correlation Algorithm Based on Attack Graph , 2011, CISIS.

[7]  Max Mühlhäuser,et al.  Distributed and Anonymous Publish-Subscribe , 2013, NSS.

[8]  Max Mühlhäuser,et al.  AnonPubSub: Anonymous publish-subscribe overlays , 2016, Comput. Commun..

[9]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[10]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[11]  Christopher Leckie,et al.  Decentralized multi-dimensional alert correlation for collaborative intrusion detection , 2009, J. Netw. Comput. Appl..

[12]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[13]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[14]  Max Mühlhäuser,et al.  On the resilience of P2P-based botnet graphs , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[15]  T. Vicsek,et al.  Uncovering the overlapping community structure of complex networks in nature and society , 2005, Nature.

[16]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[17]  John Yen,et al.  Towards probabilistic identification of zero-day attack paths , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).