Process mining and hierarchical clustering to help intrusion alert visualization

Abstract Intrusion Detection Systems (IDS) are extensively used as one of the lines of defense of a network to prevent and mitigate the risks caused by security breaches. IDS provide information about the intrusive activities on a network through alerts, which security analysts manually evaluate to execute an intrusion response plan. However, one of the downsides of IDS is the large amount of alerts they raise, which makes the manual investigation of alerts a burdensome and error-prone task. In this work, we propose an approach to facilitate the investigation of huge amounts of intrusion alerts. The approach applies process mining techniques on alerts to extract information regarding the attackers behavior and the multi-stage attack strategies they adopted. The strategies are presented to the network administrator in friendly high-level visual models. Large and visually complex models that are difficult to understand are clustered into smaller, simpler and intuitive models using hierarchical clustering techniques. To evaluate the proposed approach, a real dataset of alerts from a large public University in the United States was used. We find that security visualization models created with process mining and hierarchical clustering are able to condense a huge number of alerts and provide insightful information for network/IDS administrators. For instance, by analyzing the models generated during the case study, network administrators could find out important details about the attack strategies such as attack frequencies and targeted network services.

[1]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[2]  Bob Rudis,et al.  Data-Driven Security: Analysis, Visualization and Dashboards , 2014 .

[3]  Bo Zong,et al.  Towards scalable critical alert mining , 2014, KDD.

[4]  Bruno Bogaz Zarpelão,et al.  A Practical Experience on Evaluating Intrusion Prevention System Event Data as Indicators of Security Issues , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).

[5]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[6]  Pin-Han Ho,et al.  Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach , 2009, Comput. Secur..

[7]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[8]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[9]  Pavel Berkhin,et al.  A Survey of Clustering Data Mining Techniques , 2006, Grouping Multidimensional Data.

[10]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[11]  Sokratis K. Katsikas,et al.  Enhancing IDS performance through comprehensive alert post-processing , 2013, Comput. Secur..

[12]  Sylvio Barbon Junior,et al.  Discovering Attack Strategies Using Process Mining , 2015, ICT 2015.

[13]  Saeed Jalili,et al.  A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs , 2011, Comput. Networks.

[14]  A. J. M. M. Weijters,et al.  Flexible Heuristics Miner (FHM) , 2011, 2011 IEEE Symposium on Computational Intelligence and Data Mining (CIDM).

[15]  Hyunsoo Yoon,et al.  Real-time analysis of intrusion detection alerts via correlation , 2006, Comput. Secur..

[16]  H. Gharaee,et al.  Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios , 2012, 6th International Symposium on Telecommunications (IST).

[17]  Morteza Amini,et al.  RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection , 2015, Comput. Secur..

[18]  Christopher Krügel,et al.  Nexat: a history-based approach to predict attacker actions , 2011, ACSAC '11.

[19]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[20]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[21]  John R. Vacca Computer and Information Security Handbook , 2009 .