A Comparative Study of Alert Correlations for Intrusion Detection

The prevalent use of computer applications and communication technologies has rising the numbers of network intrusion attempts. These malicious attempts including hacking, botnets and works are pushing organization networks to a risky atmosphere where the intruder tries to compromise the confidentiality, integrity and availability of resources. In order to detect these malicious activities, Intrusion Detection Systems (IDSs) have been widely deployed in corporate networks. IDSs play an important role in monitoring traffic behaviors in a computer network, identifying the anomalous activity and notifying the security analyst with current network status. Unfortunately, one of the IDSs' drawbacks is they produce a large number of false positives and non-relevant positives alerts that could overwhelm the security analyst. Therefore, the process of analyzing alerts in order to provide a more synthetic and high-level view of the attempted intrusions is needed. This process is called Alert Correlation. In this paper, we present commonly used alert correlation approaches and highlight their advantages and disadvantages from various perspectives. Subsequently, we summarize some current alert correlation models with their alert correlation approach.

[1]  B. Akbari,et al.  Automatic learning of attack behavior patterns using Bayesian networks , 2012, 6th International Symposium on Telecommunications (IST).

[2]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[3]  Ali Ghorbani,et al.  Using Artificial Immune System and Fuzzy Logic for Alert Correlation , 2013, Int. J. Netw. Secur..

[4]  John M. Acken,et al.  A Cross Section of the Issues and Research Activities Related to Both Information Security and Cloud Computing , 2011 .

[5]  Salem Benferhat,et al.  Alert Correlation based on a Logical Handling of Administrator Preferences and Knowledge , 2018, SECRYPT.

[6]  Sureswaran Ramadass,et al.  Collection Mechanism and Reduction of IDS Alert , 2012 .

[7]  Changzhen Hu,et al.  Hierarchical Distributed Alert Correlation Model , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[8]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[9]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[10]  Chenn-Jung Huang,et al.  An Adaptive Rule-Based Intrusion Alert Correlation Detection Method , 2010, 2010 First International Conference on Networking and Distributed Computing.

[11]  Salem Benferhat,et al.  Integrating security operator knowledge and preferences to the alert correlation process , 2010, 2010 International Conference on Machine and Web Intelligence.

[12]  Fatemeh Amiri,et al.  A complete operational architecture of alert correlation , 2011, 2011 International Conference on Computational Aspects of Social Networks (CASoN).

[13]  Siti Zaiton Mohd Hashim,et al.  Intelligent Clustering with PCA and Unsupervised Learning Algorithm in Intrusion Alert Correlation , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[14]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[15]  Karim Tabia,et al.  Handling IDS' reliability in alert correlation: A Bayesian network-based model for handling IDS's reliability and controlling prediction/false alarm rate tradeoffs , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[16]  R. Anbarestani,et al.  An iterative alert correlation method for extracting network intrusion scenarios , 2012, 20th Iranian Conference on Electrical Engineering (ICEE2012).

[17]  Maria Papadaki,et al.  Investigating the problem of IDS false alarms: An experimental study using Snort , 2008, SEC.

[18]  Monis Akhlaq,et al.  Detection of coordinated attacks using alert correlation model , 2010, 2010 IEEE International Conference on Progress in Informatics and Computing.

[19]  Byeong-Soo Jeong,et al.  An Efficient Distributed Programming Model for Mining Useful Patterns in Big Datasets , 2013 .

[20]  Tinghuai Ma,et al.  Review of Sensor-based Activity Recognition Systems , 2011 .

[21]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[22]  Huwaida Tagelsir Elshoush,et al.  An Improved Framework for Intrusion Alert Correlation , 2012 .

[24]  H. Saidi,et al.  Real-time attack scenario detection via intrusion detection alert correlation , 2012, 2012 9th International ISC Conference on Information Security and Cryptology.

[25]  Ayman M. Bahaa Eldin,et al.  Agent based correlation model for intrusion detection alerts , 2010, 2010 IEEE International Conference on Intelligence and Security Informatics.

[26]  Ali Ebrahimi,et al.  Automatic attack scenario discovering based on a new alert correlation method , 2011, 2011 IEEE International Systems Conference.

[27]  Saeed Jalili,et al.  Alert Correlation Using Correlation Probability Estimation and Time Windows , 2009, 2009 International Conference on Computer Technology and Development.

[28]  A. B. Mohamed,et al.  Alert Correlation Using a Novel Clustering Approach , 2012, 2012 International Conference on Communication Systems and Network Technologies.

[29]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[30]  Subramaniam Shamala,et al.  An alert fusion model inspired by artificial immune system , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[31]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[32]  Wolfgang Banzhaf,et al.  The use of computational intelligence in intrusion detection systems: A review , 2010, Appl. Soft Comput..

[33]  Ahmed Manasrah,et al.  Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS) , 2012, Int. J. Comput. Math..

[34]  Michele Colajanni,et al.  Identification of correlated network intrusion alerts , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[35]  Li Yang,et al.  Alert Correlation Model Design Based on Self-regulate , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[36]  Zhaowen Lin,et al.  Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence , 2010, 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM).