A model-based survey of alert correlation techniques

As telecommunication networks evolve rapidly in terms of scalability, complexity, and heterogeneity, the efficiency of fault localization procedures and the accuracy in the detection of anomalous behaviors are becoming important factors that largely influence the decision making process in large management companies. For this reason, telecommunication companies are doing a big effort investing in new technologies and projects aimed at finding efficient management solutions. One of the challenging issues for network and system management operators is that of dealing with the huge amount of alerts generated by the managed systems and networks. In order to discover anomalous behaviors and speed up fault localization processes, alert correlation is one of the most popular resources. Although many different alert correlation techniques have been investigated, it is still an active research field. In this paper, a survey of the state of the art in alert correlation techniques is presented. Unlike other authors, we consider that the correlation process is a common problem for different fields in the industry. Thus, we focus on showing the broad influence of this problem. Additionally, we suggest an alert correlation architecture capable of modeling current and prospective proposals. Finally, we also review some of the most important commercial products currently available.

[1]  Zhitang Li,et al.  Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies , 2008, 2008 Fifth International Conference on Fuzzy Systems and Knowledge Discovery.

[2]  Hamid Farhadi,et al.  Alert correlation and prediction using data mining and HMM , 2011, ISC Int. J. Inf. Secur..

[3]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[4]  Paulo Cortez,et al.  An Intelligent Alarm Management System for Large-Scale Telecommunication Companies , 2009, EPIA.

[5]  Urko Zurutuza,et al.  INTRUSION DETECTION ALARM CORRELATION: A SURVEY , 2004 .

[6]  Kar-Wing Edward Lor,et al.  A Network Diagnostic Expert System for Acculink Multiplexers Based on a General Network Diagnostic Scheme , 1993, IFIP/IEEE Symposium on Integrated Network Management.

[7]  Lei Liu,et al.  An Intrusion Alert Correlation Approach Based on Finite Automata , 2010, 2010 International Conference on Communications and Intelligence Information Security.

[8]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[9]  Monis Akhlaq,et al.  MARS: Multi-stage Attack Recognition System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[10]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[11]  Haifeng Chen,et al.  Ranking the importance of alerts for problem determination in large computer systems , 2009, ICAC '09.

[12]  Ali A. Ghorbani,et al.  A Rule-based Temporal Alert Correlation System , 2007, Int. J. Netw. Secur..

[13]  D. A. Harle,et al.  Methods and systems for alarm correlation , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[14]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[15]  H. Nishi,et al.  Failure prediction method for Network Management System by using Bayesian network and shared database , 2010, 8th Asia-Pacific Symposium on Information and Telecommunication Technologies.

[16]  Tsuhan Chen,et al.  Adaptive Alarm Filtering by Causal Correlation Consideration in Intrusion Detection , 2009 .

[17]  Boris Gruschke,et al.  INTEGRATED EVENT MANAGEMENT: EVENT CORRELATION USING DEPENDENCY GRAPHS , 1998 .

[18]  Otman Basir,et al.  Fusion Based Approach for Distributed Alarm Correlation in Computer Networks , 2010, 2010 Second International Conference on Communication Software and Networks.

[19]  Chu-Sing Yang,et al.  Implementation of Alarm Correlation System for Hybrid Networks Based upon the perfSONAR Framework , 2010, 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops.

[20]  Andrew J. Clark,et al.  Data preprocessing for anomaly based network intrusion detection: A review , 2011, Comput. Secur..

[21]  Xuejiao Liu,et al.  Alert Fusion Based on Cluster and Correlation Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[22]  Michele Colajanni,et al.  Identification of correlated network intrusion alerts , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[23]  Stefan Wallin,et al.  Statistical analysis and prioritisation of alarms in mobile networks , 2009, Int. J. Bus. Intell. Data Min..

[24]  Guangtian Liu,et al.  Composite events for network event correlation , 1999, Integrated Network Management VI. Distributed Management for the Networked Millennium. Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management. (Cat. No.99EX302).

[25]  Hongli Zhang,et al.  IDS alerts correlation using grammar-based approach , 2009, Journal in Computer Virology.

[26]  R.N. Cronk,et al.  Rule-based expert systems for network management and operations: an introduction , 1988, IEEE Network.

[27]  Giovanni Vigna,et al.  A Model-Based Real-Time Intrusion Detection System for Large Scale Heterogeneous Networks , 2003 .

[28]  Feng Gao,et al.  A Hidden Markov Model Based Framework for Tracking and Predicting of Attack Intention , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[29]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[30]  Sureswaran Ramadass,et al.  False positive reduction in intrusion detection system: A survey , 2009, 2009 2nd IEEE International Conference on Broadband Network & Multimedia Technology.

[31]  Malgorzata Steinder,et al.  A survey of fault localization techniques in computer networks , 2004, Sci. Comput. Program..

[32]  Xinming Ou,et al.  Prioritizing intrusion analysis using Dempster-Shafer theory , 2011, AISec '11.

[33]  G. Jakobson,et al.  Alarm correlation , 1993, IEEE Network.

[34]  Liu Li,et al.  Fast Fault Localization for Internet Services based on Bipartite Graph , 2011 .

[35]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[36]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[37]  Wan Li,et al.  Preprocessor of Intrusion Alerts Correlation Based on Ontology , 2009, 2009 WRI International Conference on Communications and Mobile Computing.

[38]  Saeed Jalili,et al.  Alert Correlation Using Correlation Probability Estimation and Time Windows , 2009, 2009 International Conference on Computer Technology and Development.

[39]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[40]  Changzhen Hu,et al.  Hierarchical Distributed Alert Correlation Model , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[41]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[42]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[43]  Mark Weissman,et al.  Real-time telecommunication network management: extending event correlation with temporal constraints , 1995, Integrated Network Management.

[44]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[45]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[46]  Siti Zaiton Mohd Hashim,et al.  Network intrusion alert correlation challenges and techniques , 2008 .

[47]  Simin Nadjm-Tehrani,et al.  Alarm reduction and correlation in defence of IP networks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[48]  Zhaowen Lin,et al.  Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence , 2010, 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM).

[49]  Li Yang,et al.  Multistage attack detection system for network administrators using data mining , 2010, CSIIRW '10.

[50]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[51]  Yongzheng Zhang,et al.  A Survey of Alert Fusion Techniques for Security Incident , 2008, 2008 The Ninth International Conference on Web-Age Information Management.

[52]  Ramakrishnan Srikant,et al.  Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[53]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[54]  Xuejiao Liu,et al.  Applying Data Fusion in Collaborative Alerts Correlation , 2008, 2008 International Symposium on Computer Science and Computational Technology.

[55]  Nathalie Japkowicz,et al.  Using Unsupervised Learning for Network Alert Correlation , 2008, Canadian Conference on AI.

[56]  Fabio Roli,et al.  Alarm clustering for intrusion detection systems in computer networks , 2005, Eng. Appl. Artif. Intell..

[57]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[58]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation , 1992 .

[59]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[60]  Fabien Pouget,et al.  Alert correlation: Review of the state of the art , 2003 .

[61]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[62]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[63]  L. Lewis,et al.  Extending trouble ticket systems to fault diagnostics , 1993, IEEE Network.

[64]  L. Nalini,et al.  A Comprehensive Approach to Intrusion Detection Alert Correlation , 2015 .

[65]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[66]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[67]  Rida Khatoun,et al.  Decentralized Alerts Correlation Approach for DDoS Intrusion Detection , 2008, 2008 New Technologies, Mobility and Security.

[68]  A. Siraj,et al.  Multi-level alert clustering for intrusion detection sensor data , 2005, NAFIPS 2005 - 2005 Annual Meeting of the North American Fuzzy Information Processing Society.

[69]  D. Ohsie,et al.  High speed and robust event correlation , 1996, IEEE Commun. Mag..

[70]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.

[71]  Ehab Al-Shaer,et al.  Alert prioritization in Intrusion Detection Systems , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[72]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[73]  Ali Ghorbani,et al.  Alert correlation survey: framework and techniques , 2006, PST.

[74]  Christoph Meinel,et al.  A New Alert Correlation Algorithm Based on Attack Graph , 2011, CISIS.

[75]  Salvatore J. Stolfo,et al.  A coding approach to event correlation , 1995, Integrated Network Management.

[76]  Jiang Yu,et al.  MS²IFS: A Multiple Source-Based Security Information Fusion System , 2010, 2010 International Conference on Communications and Intelligence Information Security.

[77]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[78]  Yan Chen,et al.  Autonomous mining for alarm correlation patterns based on time-shift similarity clustering in manufacturing system , 2011, 2011 IEEE Conference on Prognostics and Health Management.

[79]  Huwaida Tagelsir Elshoush,et al.  Reducing false positives through fuzzy alert correlation in collaborative intelligent intrusion detection systems — A review , 2010, International Conference on Fuzzy Systems.

[80]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[81]  Y. V. Ramana Reddy,et al.  TRINETR: an intrusion detection alert management systems , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[82]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[83]  Heikki Mannila,et al.  Discovering Frequent Episodes in Sequences , 1995, KDD.

[84]  Malgorzata Steinder,et al.  Probabilistic fault localization in communication systems using belief networks , 2004, IEEE/ACM Transactions on Networking.