Real-Time Correlation of Network Security Alerts

With the growing deployment of network security devices, it becomes a great challenge to manage the large volume of security alerts from these devices. In this paper a novel method using sequential pattern mining algorithm is applied to discover complicated multistage attack behavior patterns. Their result can be transformed into rules automatically. In contrast with other approaches, it overcomes the drawback of high dependence on precise attack specifications and accurate rule definitions. Based on the algorithms, a real-time alert correlation system is proposed to detect an ongoing attack and predict the upcoming next step of a multistage attack in real time. Consequently, network administrator can be aware of the threat as soon as possible and take deliberate action to prevent the target of an attack from further compromise. We implement the system and valid our method by a series of experiments with test dataset and in real network environment. The result shows the effectivity of the system in discovery and predication of attacks.

[1]  Joseph L. Hellerstein,et al.  Mining Event Data for Actionable Patterns , 2000, Int. CMG Conference.

[2]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.

[4]  Tharam S. Dillon,et al.  A methodology to quantify failure for risk-based decision support system in digital business ecosystems , 2007, Data Knowl. Eng..

[5]  J. H. Davis,et al.  An Integrative Model Of Organizational Trust , 1995 .

[6]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[7]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[8]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[9]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[10]  Frédéric Cuppens,et al.  Correlation in an intrusion detection process , 2002 .

[11]  Colin Camerer,et al.  Not So Different After All: A Cross-Discipline View Of Trust , 1998 .

[12]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[13]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[14]  Michael T. Krieger,et al.  Eliminating noise from intrusion detection systems , 2003, Inf. Secur. Tech. Rep..

[15]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[16]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[17]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[18]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[19]  Yan Wang,et al.  Trust and Risk Evaluation of Transactions with Different Amounts in Peer-to-Peer E-commerce Environments , 2006, 2006 IEEE International Conference on e-Business Engineering (ICEBE'06).

[20]  J. March,et al.  Managerial perspectives on risk and risk taking , 1987 .

[21]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  Wenke Lee,et al.  Discovering Novel Attack Strategies from INFOSEC Alerts , 2004, ESORICS.

[23]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[24]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .