论文信息 - A multi-step attack-correlation method with privacy protection

A multi-step attack-correlation method with privacy protection

In the era of global Internet security threats, there is an urgent need for different organizations to cooperate and jointly fight against cyber attacks. We present an algorithm that combines a privacy-preserving technique and a multi-step attack-correlation method to better balance the privacy and availability of alarm data. This algorithm is used to construct multi-step attack scenarios by discovering sequential attack-behavior patterns. It analyzes the time-sequential characteristics of attack behaviors and implements a support-evaluation method. Optimized candidate attack-sequence generation is applied to solve the problem of pre-defined association-rule complexity, as well as expert-knowledge dependency. An enhanced k-anonymity method is applied to this algorithm to preserve privacy. Experimental results indicate that the algorithm has better performance and accuracy for multi-step attack correlation than other methods, and reaches a good balance between efficiency and privacy.

Haibo Luo | Xianlu Luo | Yongtang Zhang

[1] Somesh Jha,et al. Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[2] Michele Colajanni,et al. Multistep Attack Detection and Alert Correlation in Intrusion Detection Systems , 2011, ISA.

[3] Adam Carlson,et al. Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[4] Peng Ning,et al. Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[5] Jennifer Rexford,et al. Privacy-preserving collaborative anomaly detection , 2009 .

[6] Jianhua Li,et al. Building network attack graph for alert causal correlation , 2008, Comput. Secur..

[7] Rajeev Motwani,et al. Approximation Algorithms for k-Anonymity , 2005 .

[8] Hervé Debar,et al. Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[9] Hervé Debar,et al. Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[10] Ramakrishnan Srikant,et al. Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[11] Salvatore J. Stolfo,et al. Privacy-preserving payload-based correlation for accurate malicious traffic detection , 2006, LSAD '06.