An Intrinsic Graphical Signature Based on Alert Correlation Analysis for Intrusion Detection

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection accuracy. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.

[1]  Yuh-Jye Lee,et al.  SSVM: A Smooth Support Vector Machine for Classification , 2001, Comput. Optim. Appl..

[2]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[3]  Paul M. B. Vitányi,et al.  An Introduction to Kolmogorov Complexity and Its Applications, Third Edition , 1997, Texts in Computer Science.

[4]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[5]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  Robert Pless,et al.  Image spaces and video trajectories: using Isomap to explore video sequences , 2003, Proceedings Ninth IEEE International Conference on Computer Vision.

[7]  J. Tenenbaum,et al.  A global geometric framework for nonlinear dimensionality reduction. , 2000, Science.

[8]  Sean R. Eddy,et al.  Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids , 1998 .

[9]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[10]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[11]  Peng Ning,et al.  Hypothesizing and reasoning about attacks missed by intrusion detection systems , 2004, TSEC.

[12]  Jianhua Li,et al.  Building network attack graph for alert causal correlation , 2008, Comput. Secur..

[13]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[14]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[15]  John Case,et al.  Computing Entropy for Ortholog Detection , 2004, International Conference on Computational Intelligence.

[16]  Eamonn J. Keogh,et al.  Towards parameter-free data mining , 2004, KDD.

[17]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[18]  Vladimir Vapnik,et al.  The Nature of Statistical Learning , 1995 .

[19]  Christos Faloutsos,et al.  SBAD: Sequence Based Attack Detection via Sequence Comparison , 2010, PSDML.

[20]  Michele Colajanni,et al.  Collaborative architecture for malware detection and analysis , 2008, SEC.

[21]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[22]  C. Goose,et al.  Glossary of Terms , 2004, Machine Learning.

[23]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[24]  Xin Chen,et al.  An information-based sequence distance and its application to whole mitochondrial genome phylogeny , 2001, Bioinform..

[25]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[26]  Wei Wang,et al.  A Graph Based Approach Toward Network Forensics Analysis , 2008, TSEC.

[27]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[28]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.