A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection Systems

Intrusion alert analysis is an attractive and active topic in the area of intrusion detection systems. In recent decades, many research communities have been working in this field. The main objective of this article is to achieve a taxonomy of research fields in intrusion alert analysis by using a systematic mapping study of 468 high-quality papers. The results show that there are 10 different research topics in the field, which can be classified into three broad groups: pre-processing, processing, and post-processing. The processing group contains most of the research works, and the post-processing group is newer than others.

[1]  José M. Fernandez,et al.  ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework , 2013, FPS.

[2]  E. T. Anumol Use of Machine Learning Algorithms with SIEM for Attack Prediction , 2015 .

[3]  Ouissem Ben Fredj A realistic graph-based alert correlation system , 2015, Secur. Commun. Networks.

[4]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[5]  Choonsik Park,et al.  Y-AOI: Y-Means Based Attribute Oriented Induction Identifying Root Cause for IDSs , 2005, FSKD.

[6]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[7]  Rasool Jalili,et al.  Alert Correlation Algorithms: A Survey and Taxonomy , 2013, CSS.

[8]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[9]  Daesung Moon,et al.  DFA-AD: a distributed framework architecture for the detection of advanced persistent threats , 2017, Cluster Computing.

[10]  Reza Ebrahimi Atani,et al.  A survey of IT early warning systems: architectures, challenges, and solutions , 2016, Secur. Commun. Networks.

[11]  Jie Xu,et al.  A novel intrusion severity analysis approach for Clouds , 2013, Future Gener. Comput. Syst..

[12]  Igor V. Kotenko,et al.  Correlation of security events based on the analysis of structures of event types , 2017, 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS).

[13]  Hossein Saiedian,et al.  A novel kill-chain framework for remote security log analysis with SIEM software , 2017, Comput. Secur..

[14]  Christoph Meinel,et al.  Hierarchical object log format for normalisation of security events , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[15]  Vikram Kumaran,et al.  Event stream database based architecture to detect network intrusion: (industry article) , 2013, DEBS.

[16]  Antonio J. Gómez-Núñez Una aproximación multimetodológica para la clasificación de las revistas de Scimago Journal & Country Rank (SJR) , 2015 .

[17]  Florian Skopik,et al.  Combating advanced persistent threats: From network event correlation to incident detection , 2015, Comput. Secur..

[18]  Urko Zurutuza,et al.  INTRUSION DETECTION ALARM CORRELATION: A SURVEY , 2004 .

[19]  Yongzheng Zhang,et al.  A Survey of Alert Fusion Techniques for Security Incident , 2008, 2008 The Ninth International Conference on Web-Age Information Management.

[20]  Ali Ghorbani,et al.  Alert correlation survey: framework and techniques , 2006, PST.

[21]  Saeed Jalili,et al.  A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs , 2011, Comput. Networks.

[22]  Ali A. Ghorbani,et al.  Alert Management and Correlation , 2010 .

[23]  Jianhua Li,et al.  Building network attack graph for alert causal correlation , 2008, Comput. Secur..

[24]  Raouf Boutaba,et al.  FuzMet: a fuzzy‐logic based alert prioritization engine for intrusion detection systems , 2012, Int. J. Netw. Manag..

[25]  Lin Jun,et al.  Some Special Issues of Network Security Monitoring on Big Data Environments , 2013, 2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing.

[26]  Arturo Ribagorda,et al.  Providing SIEM systems with self-adaptation , 2015, Inf. Fusion.

[27]  Sokratis K. Katsikas,et al.  Enhancing IDS performance through comprehensive alert post-processing , 2013, Comput. Secur..

[28]  Peng Ning,et al.  Hypothesizing and reasoning about attacks missed by intrusion detection systems , 2004, TSEC.

[29]  Tore Dybå,et al.  Evidence-Based Software Engineering for Practitioners , 2005, IEEE Softw..

[30]  Yongzheng Zhang,et al.  Quantitative threat situation assessment based on alert verification , 2016, Secur. Commun. Networks.

[31]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[32]  Ali Ahmadian Ramaki,et al.  Causal knowledge analysis for detecting and modeling multi-step attacks , 2016, Secur. Commun. Networks.

[33]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[34]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[35]  Quanyan Zhu,et al.  Bayesian decision aggregation in collaborative intrusion detection networks , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[36]  Kun Gao,et al.  Deep data analyzing algorithm based on scale space theory , 2017, Cluster Computing.

[37]  Anthony F. J. van Raan,et al.  The Role of Europe in World-Wide Science and Technology: Monitoring and Evaluation in a Context of Global Competition , 2000 .

[38]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[39]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[40]  Domenico Cotroneo,et al.  Automated root cause identification of security alerts: Evaluation in a SaaS Cloud , 2016, Future Gener. Comput. Syst..

[41]  Vandana Pursnani Janeja,et al.  Persistent threat pattern discovery , 2015, 2015 IEEE International Conference on Intelligence and Security Informatics (ISI).

[42]  Issa Traoré,et al.  Semantic aware attack scenarios reconstruction , 2013, J. Inf. Secur. Appl..

[43]  Christoph Meinel,et al.  Towards a system for complex analysis of security events in large-scale networks , 2017, Comput. Secur..

[44]  Helge Janicke,et al.  Semantics-aware detection of targeted attacks: a survey , 2017, Journal of Computer Virology and Hacking Techniques.

[45]  Lei Shi,et al.  A Framework for Big Data Security Analysis and the Semantic Technology , 2016, 2016 6th International Conference on IT Convergence and Security (ICITCS).

[46]  Hervé Debar,et al.  An ontology-driven approach to model SIEM information and operations using the SWRL formalism , 2012, Int. J. Electron. Secur. Digit. Forensics.

[47]  Taghi M. Khoshgoftaar,et al.  Intrusion detection and Big Heterogeneous Data: a Survey , 2015, Journal of Big Data.

[48]  Víctor A. Villagrá,et al.  Real-Time Multistep Attack Prediction Based on Hidden Markov Models , 2020, IEEE Transactions on Dependable and Secure Computing.

[49]  EMMANOUIL VASILOMANOLAKIS,et al.  Taxonomy and Survey of Collaborative Intrusion Detection , 2015, ACM Comput. Surv..

[50]  Ali A. Ghorbani,et al.  Network Intrusion Detection and Prevention - Concepts and Techniques , 2010, Advances in Information Security.

[51]  Morteza Amini,et al.  RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection , 2015, Comput. Secur..

[52]  Selvakumar Manickam,et al.  A Survey of Intrusion Alert Correlation and Its Design Considerations , 2014 .

[53]  Abbas Rasoolzadegan Barforoush,et al.  The state of the art on design patterns: A systematic mapping of the literature , 2017, J. Syst. Softw..

[54]  Ali A. Ghorbani,et al.  Multi-layer episode filtering for the multi-step attack detection , 2012, Comput. Commun..

[55]  Anil K. Jain Data clustering: 50 years beyond K-means , 2008, Pattern Recognit. Lett..

[56]  Hang Li,et al.  Topic Analysis Using a Finite Mixture Model , 2000, Inf. Process. Manag..

[57]  Bernd Freisleben,et al.  Complex event processing for reactive security monitoring in virtualized computer systems , 2015, DEBS.

[58]  Pearl Brereton,et al.  Using mapping studies as the basis for further research - A participant-observer case study , 2011, Inf. Softw. Technol..

[59]  Cheng Zhang,et al.  What Do We Know about the Effectiveness of Software Design Patterns? , 2012, IEEE Transactions on Software Engineering.

[60]  Michele Colajanni,et al.  Detection and Threat Prioritization of Pivoting Attacks in Large Networks , 2020, IEEE Transactions on Emerging Topics in Computing.

[61]  Kai Petersen,et al.  Guidelines for conducting systematic mapping studies in software engineering: An update , 2015, Inf. Softw. Technol..

[62]  Hassan Takabi,et al.  A comprehensive approach for network attack forecasting , 2016, Comput. Secur..

[63]  Boyeon Song,et al.  Visualization of security event logs across multiple networks and its application to a CSOC , 2017, Cluster Computing.

[64]  Dong Li,et al.  Discovering Novel Multistage Attack Patterns in Alert Streams , 2007, 2007 International Conference on Networking, Architecture, and Storage (NAS 2007).

[65]  Pearl Brereton,et al.  Systematic literature reviews in software engineering - A tertiary study , 2010, Inf. Softw. Technol..

[66]  Said Jai-Andaloussi,et al.  Toward a Big Data Architecture for Security Events Analytic , 2016, 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud).

[67]  Yang Li,et al.  An attack pattern mining algorithm based on fuzzy logic and sequence pattern , 2016, 2016 4th International Conference on Cloud Computing and Intelligence Systems (CCIS).

[68]  Tian Shengfeng,et al.  A Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques , 2006 .

[69]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[70]  Sureswaran Ramadass,et al.  False positive reduction in intrusion detection system: A survey , 2009, 2009 2nd IEEE International Conference on Broadband Network & Multimedia Technology.

[71]  Doaa Hassan,et al.  Mining intrusion detection alerts for predicting severity of detected attacks , 2015, 2015 11th International Conference on Information Assurance and Security (IAS).

[72]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[73]  Mohamed Limam,et al.  A Two-Stage Process Based on Data Mining and Optimization to Identify False Positives and False Negatives Generated by Intrusion Detection Systems , 2015, 2015 11th International Conference on Computational Intelligence and Security (CIS).

[74]  A. Murali,et al.  A Survey on Intrusion Detection Approaches , 2005, 2005 International Conference on Information and Communication Technologies.

[75]  Wan Li,et al.  An ontology-based intrusion alerts correlation system , 2010, Expert Syst. Appl..

[76]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[77]  Sherif Abdelwahed,et al.  A Finite State Hidden Markov Model for Predicting Multistage Attacks in Cloud Systems , 2014, 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing.

[78]  Uwe Aickelin,et al.  Real-Time Alert Correlation with Type Graphs , 2008, ICISS.

[79]  Constantine Kotropoulos,et al.  A Novel Updating Scheme for Probabilistic Latent Semantic Indexing , 2006, SETN.

[80]  Juan Li,et al.  Editorial: A special section on “Emerging Platform Technologies” , 2015, The Journal of Supercomputing.

[81]  Massimo Ficco Security event correlation approach for cloud computing , 2013, Int. J. High Perform. Comput. Netw..

[82]  Dong Li,et al.  Discovering Novel Multistage Attack Strategies , 2007, ADMA.

[83]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[84]  Christoph Meinel,et al.  Normalizing Security Events with a Hierarchical Knowledge Base , 2015, WISTP.

[85]  Neminath Hubballi,et al.  False alarm minimization techniques in signature-based intrusion detection systems: A survey , 2014, Comput. Commun..

[86]  Muttukrishnan Rajarajan,et al.  OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis , 2014, 39th Annual IEEE Conference on Local Computer Networks.

[87]  Jinjun Chen,et al.  A Secure Big Data Stream Analytics Framework for Disaster Management on the Cloud , 2016, 2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[88]  Hang Li,et al.  Text classification using ESC-based stochastic decision lists , 2002, Inf. Process. Manag..

[89]  Maghsoud Abbaspour,et al.  Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework , 2016, Secur. Commun. Networks.

[90]  Brogi Guillaume,et al.  TerminAPTor: Highlighting Advanced Persistent Threats through Information Flow Tracking , 2016 .

[91]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[92]  Fabrizio Baiardi,et al.  A Simulation Based SIEM Framework to Attribute and Predict Attacks Candidate , 2015 .

[93]  Claes Wohlin,et al.  Systematic literature studies: Database searches vs. backward snowballing , 2012, Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement.

[94]  Alessandro Margara,et al.  Processing flows of information: From data stream to complex event processing , 2012, CSUR.

[95]  Elena García Barriocanal,et al.  Querying Streams of Alerts for Knowledge-Based Detection of Long-Lived Network Intrusions , 2017, FQAS.

[96]  Thomas Hofmann,et al.  Unsupervised Learning by Probabilistic Latent Semantic Analysis , 2004, Machine Learning.

[97]  Jong Hyuk Park,et al.  A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions , 2019, The Journal of Supercomputing.

[98]  Sokratis K. Katsikas,et al.  Methods for post-processing of alerts in intrusion detection: A survey , 2013 .

[99]  Ainuddin Wahid Abdul Wahab,et al.  Cloud Log Forensics , 2016, ACM Comput. Surv..

[100]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[101]  George Karabatis,et al.  Beyond data: contextual information fusion for cyber security analytics , 2016, SAC.

[102]  Mourad Debbabi,et al.  A novel cyber security capability: Inferring Internet-scale infections by correlating malware and probing activities , 2016, Comput. Networks.

[103]  Xenofontas A. Dimitropoulos,et al.  Understanding Network Forensics Analysis in an Operational Environment , 2013, 2013 IEEE Security and Privacy Workshops.

[104]  Yuan-Cheng Lai,et al.  Creditability-based weighted voting for reducing false positives and negatives in intrusion detection , 2013, Comput. Secur..