Building Scenarios from a Heterogeneous Alert Stream

We describe a realtime algorithm for combining the alerts produced by several heterogeneous intrusion detection sensors into scenarios. Each scenario represents a sequence of actions performed by a single actor or organization. Our algorithm, which is probabilistic in nature, can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios. It is capable of finding scenarios even if an intruder has used stealthy attack methods such as forged source IP addresses or long latencies between attack components.

[1]  B.J. Wood,et al.  Red Teaming of advanced information assurance concepts , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Robert K. Cunningham,et al.  Host-based Bottleneck Verification Efficiently Detects Novel Computer Attacks 1 , 1999 .

[3]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[4]  Alfonso Valdes,et al.  An Approach to Sensor Correlation , 2000 .

[5]  Thomas G. Dietterich What is machine learning? , 2020, Archives of Disease in Childhood.

[6]  Brian Birge,et al.  PSOt - a particle swarm optimization toolbox for use with Matlab , 2003, Proceedings of the 2003 IEEE Swarm Intelligence Symposium. SIS'03 (Cat. No.03EX706).