论文信息 - Discovering Attack Scenarios via Intrusion Alert Correlation Using Graph Convolutional Networks

Discovering Attack Scenarios via Intrusion Alert Correlation Using Graph Convolutional Networks

The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

[1] Christopher Leckie,et al. Decentralized multi-dimensional alert correlation for collaborative intrusion detection , 2009, J. Netw. Comput. Appl..

[2] Nicolas Lachiche,et al. A scalable robust and automatic propositionalization approach for Bayesian classification of large mixed numerical and categorical data , 2018, Machine Learning.

[3] Max Welling,et al. Semi-Supervised Classification with Graph Convolutional Networks , 2016, ICLR.

[4] Gabriel Maciá-Fernández,et al. A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[5] Weixiong Zhang,et al. Graph Convolutional Networks Meet Markov Random Fields: Semi-Supervised Community Detection in Attribute Networks , 2019, AAAI.

[6] Geoff Salmon,et al. On the Detection of Persistent Attacks using Alert Graphs and Event Feature Embeddings , 2020, NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium.

[7] Joan Bruna,et al. Community Detection with Graph Neural Networks , 2017, 1705.08415.

[8] Steffen Haas,et al. GAC: graph-based alert correlation for the detection of distributed multi-step attacks , 2018, SAC.

[9] M. Hanock,et al. Online Intrusion Alert Aggregation with Generative Data Stream Modeling , 2013 .

[10] Abbas Ghaemi Bafghi,et al. A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection Systems , 2018, ACM Comput. Surv..

[11] Jimmy Ba,et al. Adam: A Method for Stochastic Optimization , 2014, ICLR.