A complete operational architecture of alert correlation

To defend against various attacks, many security systems such as intrusion detection systems are deployed into hosts and networks to better protect digital assets. However, there are well-known problems related to the current intrusion detection systems. To better understand security threats from various sources and take appropriate response, it is necessary to perform alert correlation. This paper proposes a general alert correlation architecture, including four important components: log management, alert correlation, incident response and knowledge base system. The focus is to describe most important operations in alert correlation component. The proposed architecture includes anomaly-based analysis in alert correlation component. Different techniques for alert correlation are reviewed and compared. This study proposes that a hybrid model of multiple techniques leads to better performance of alert correlation engine.

[1]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[2]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[3]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[4]  Saeed Jalili,et al.  A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs , 2011, Comput. Networks.

[5]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[6]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[7]  Giovanni Vigna,et al.  Real-time intrusion detection alert correlation , 2006 .

[8]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[9]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[11]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[12]  Nasser Yazdani,et al.  Mutual information-based feature selection for intrusion detection systems , 2011, J. Netw. Comput. Appl..

[13]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[14]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[15]  Piotr Bródka,et al.  International Conference on Computational Aspects of Social Networks , 2009, Computational Aspects of Social Networks.

[16]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[17]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[18]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[19]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[20]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[21]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[22]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[23]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[24]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[25]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[26]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[27]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[28]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[29]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[30]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..