Intrusion Alert Correlation to Support Security Management

To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most typical strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real data set from the University of Maryland. The results show that the proposed approach can provide useful information for security administrators and may reduce the time between a security event and the response.

[1]  Abbas Ghaemi Bafghi,et al.  E-correlator: an entropy-based alert correlation system , 2015, Secur. Commun. Networks.

[2]  J. H. Ward Hierarchical Grouping to Optimize an Objective Function , 1963 .

[3]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[4]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[5]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[6]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[7]  Ramakrishna Thurimella,et al.  A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures , 2006, RAID.

[8]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[9]  W. J. DeCoursey,et al.  Introduction: Probability and Statistics , 2003 .

[10]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.

[11]  S. Niwattanakul,et al.  Using of Jaccard Coefficient for Keywords Similarity , 2022 .

[12]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[13]  Audrey J. Dorofee,et al.  Computer Security Incident Response Team Development and Evolution , 2014, IEEE Security & Privacy.

[14]  Sokratis K. Katsikas,et al.  Enhancing IDS performance through comprehensive alert post-processing , 2013, Comput. Secur..