An Intrusion Action-Based IDS Alert Correlation Analysis and Prediction Framework

Since the rapid development of the internet, the emergence of network intrusion has become the focus of studies for scholars and security enterprises. As an important device for detecting and analyzing malicious behaviors in networks, IDS (Intrusion Detection Systems) is widely deployed in enterprises, organizations and plays a very important role in cyberspace security. The massive log data produced by IDS not only contains information about intrusion behaviors but also contains potential intrusion patterns. Through normalizing, correlating, and modeling data, we can obtain the patterns of different intrusion scenarios. Based on the previous works in the area of alert correlation and analyzing, this paper proposed a framework named IACF (Intrusion Action Based Correlation Framework), which improved the process of alert aggregating, action extraction, and scenario discovery, and applied a novel method for extracting intrusion sessions based on temporal metrics. The proposed framework utilized a new grouping method for raw alerts based on the concept of intrinsic strong correlations, rather than the conventional time windows and hyper alerts. For discovering high stable correlations between actions, redundant actions and action link modes are removed from sessions by a pruning algorithm to reduce the impact of false positives, finally, a correlation graph is constructed by fusing the pruned sessions, based on the correlation graph, a prediction method for the future attack is proposed. The experiment result shows that the framework is efficient in alert correlation and intrusion scenario construction.

[1]  Elias Bou-Harb,et al.  On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts , 2017, ARES.

[2]  Li Wang,et al.  Automatic multi-step attack pattern discovering , 2008 .

[3]  M. Sudit,et al.  Evaluating Threat Assessment for Multi-Stage Cyber Attacks , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[4]  Zhitang Li,et al.  Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies , 2008, 2008 Fifth International Conference on Fuzzy Systems and Knowledge Discovery.

[5]  Zhaowen Lin,et al.  Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence , 2010, 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM).

[6]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[7]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[8]  Fatmah A. Bahareth,et al.  Constructing Attack Scenario using Sequential Pattern Mining with Correlated Candidate Sequences * , 2013 .

[9]  Debao Xiao,et al.  An Alert Correlation Method Based on Improved Cluster Algorithm , 2008, 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application.

[10]  Morteza Amini,et al.  RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection , 2015, Comput. Secur..

[11]  Saeed Jalili,et al.  Alert Correlation Using Correlation Probability Estimation and Time Windows , 2009, 2009 International Conference on Computer Technology and Development.

[12]  Pierre Parrend,et al.  A systematic survey on multi-step attack detection , 2018, Comput. Secur..

[13]  Hamid Farhadi,et al.  Alert correlation and prediction using data mining and HMM , 2011, ISC Int. J. Inf. Secur..

[14]  Guo-Tan Liao,et al.  A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecasts , 2011, IEEE Journal on Selected Areas in Communications.

[15]  Christoph Meinel,et al.  A New Alert Correlation Algorithm Based on Attack Graph , 2011, CISIS.

[16]  Haibo Luo,et al.  A multi-step attack-correlation method with privacy protection , 2016 .

[17]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[18]  Christopher Krügel,et al.  Nexat: a history-based approach to predict attacker actions , 2011, ACSAC '11.

[19]  Sylvio Barbon Junior,et al.  Intrusion Alert Correlation to Support Security Management , 2016, SBSI.

[20]  Sadok Ben Yahia,et al.  Discovering Multi-stage Attacks Using Closed Multi-dimensional Sequential Pattern Mining , 2013, DEXA.

[21]  Sylvio Barbon Junior,et al.  Process mining and hierarchical clustering to help intrusion alert visualization , 2018, Comput. Secur..

[22]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.