Event correlation for detecting advanced multi-stage cyber-attacks

Rapidly evolving IT infrastructures bring beneficial effects to society and promote information sharing and use. However, vulnerabilities create opportunities for hostile users to perform malicious activities and IT security has gradually turned into a critical research area for organizations and governments. Processes of decision making in large organizations are widely influenced by their capability of detecting malicious activities effectively, and by the correctness in analyzing suspicious phenomena, which can be observed by a number of security sensors deployed in such large networks. Several techniques are currently employed to detect incidents starting from captured security-related events within networks and computer systems. However, the large volume of observable events, the continuous sophistication and changes in attack strategies make it challenging to provide effective solutions to detect and reconstruct cyber-security incidents. In particular, advanced multi-stage attacks tend to remain undiscovered because common security mechanisms can generally detect and flag harmful activity – sometimes with unsatisfactory false alert rates – but they are not able to draw a big picture of the incidents. Since such task is usually performed by security experts in full, it may be expensive and prone to errors. Therefore, it is essential to develop procedures for combining large heterogeneous datasets and system’s information in meaningful way, and for supplying detailed information to IT security management. By examining realistic multi-stage incidents, this thesis proposes the design of a model to correlate detectable suspicious events by combining complementary state of the art methods, which perform correlation along different axis. Thus, it aims at providing standard data formats, prioritizing and clustering data, increasing confidence about threats, finding relations of causality between suspicious events and eventually reconstructing multi-stage incidents. In addition, reviewing the most influential scientific papers gives us the chance to categorize the techniques and suggest practices for further implementation.

[1]  Ali Ghorbani,et al.  Alert correlation survey: framework and techniques , 2006, PST.

[2]  Ali A. Ghorbani,et al.  An Online Adaptive Approach to Alert Correlation , 2010, DIMVA.

[3]  Julie Greensmith,et al.  Information fusion for anomaly detection with the dendritic cell algorithm , 2010, Inf. Fusion.

[4]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[5]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[6]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[7]  Fabio Roli,et al.  Alarm clustering for intrusion detection systems in computer networks , 2005, Eng. Appl. Artif. Intell..

[8]  Mike Erlinger,et al.  Intrusion Detection Message Exchange Requirements , 2007, RFC.

[9]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[10]  Dong Li,et al.  Assessing Attack Threat by the Probability of Following Attacks , 2007, 2007 International Conference on Networking, Architecture, and Storage (NAS 2007).

[11]  J. Berg,et al.  An analysis framework to aid in designing advanced persistent threat detection systems , 2012 .

[12]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[13]  Priyanka Pandey,et al.  Mycosec - A database for signal peptide bearing genes of mycobacterium , 2011 .

[14]  Fabio Roli,et al.  Fusion of multiple classifiers for intrusion detection in computer networks , 2003, Pattern Recognit. Lett..

[15]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[17]  Peng Ning,et al.  Integrating IDS Alert Correlation and OS-Level Dependency Tracking , 2006, ISI.

[18]  Jiankun Hu,et al.  A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference , 2009, J. Netw. Comput. Appl..

[19]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[20]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[21]  S. Chatterjee,et al.  Design Science Research in Information Systems , 2010 .

[22]  菅野 道夫,et al.  Industrial applications of fuzzy control , 1985 .

[23]  Hervé Debar,et al.  Security information management as an outsourced service , 2006, Inf. Manag. Comput. Secur..

[24]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[25]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[26]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[27]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[28]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[29]  F. Dressler,et al.  Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems , 2008 .

[30]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[31]  Jyh-Shing Roger Jang,et al.  ANFIS: adaptive-network-based fuzzy inference system , 1993, IEEE Trans. Syst. Man Cybern..

[32]  Tom Cross,et al.  Emerging Cyber Threats Report for 2009 , 2008 .

[33]  Nathalie Japkowicz,et al.  Using Unsupervised Learning for Network Alert Correlation , 2008, Canadian Conference on AI.

[34]  Brendan Horton,et al.  Market analysis , 1995, Nature.

[35]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[36]  Kaveh Mohajeri,et al.  Applying Design Research Method to IT Performance Management: Forming a New Solution , 2009 .

[37]  Deborah A. Frincke,et al.  A Novel Framework for Alert Correlation and Understanding , 2004, ACNS.

[38]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[39]  Muhammad Afzal,et al.  Security mistakes in information system deployment projects , 2011, Inf. Manag. Comput. Secur..

[40]  Adel Nadjaran Toosi,et al.  A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers , 2007, Comput. Commun..

[41]  Sumeet Dua,et al.  Data Mining and Machine Learning in Cybersecurity , 2011 .