Alert Correlation Algorithms: A Survey and Taxonomy

Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

[1]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[2]  Alvaro A. Cárdenas,et al.  Principled reasoning and practical applications of alert fusion in intrusion detection systems , 2008, ASIACCS '08.

[3]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[4]  Peng Ning,et al.  Hypothesizing and reasoning about attacks missed by intrusion detection systems , 2004, TSEC.

[5]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[6]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[7]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[8]  Marco Dorigo,et al.  Ant system: optimization by a colony of cooperating agents , 1996, IEEE Trans. Syst. Man Cybern. Part B.

[9]  Hongli Zhang,et al.  IDS alerts correlation using grammar-based approach , 2009, Journal in Computer Virology.

[10]  Tadeusz Pietraszek,et al.  Data mining and machine learning - Towards reducing false positives in intrusion detection , 2005, Inf. Secur. Tech. Rep..

[11]  Frédéric Cuppens,et al.  Correlation in an intrusion detection process , 2002 .

[12]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[13]  Ali Ghorbani,et al.  Alert correlation survey: framework and techniques , 2006, PST.

[14]  Ali A. Ghorbani,et al.  An Online Adaptive Approach to Alert Correlation , 2010, DIMVA.

[15]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[16]  Fabien Pouget,et al.  Alert correlation: Review of the state of the art , 2003 .

[17]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[18]  Nathalie Japkowicz,et al.  Using Unsupervised Learning for Network Alert Correlation , 2008, Canadian Conference on AI.

[19]  Ramakrishna Thurimella,et al.  A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures , 2006, RAID.

[20]  Hervé Debar,et al.  Processing intrusion detection alert aggregates with time series modeling , 2009, Inf. Fusion.

[21]  Wenke Lee,et al.  Discovering Novel Attack Strategies from INFOSEC Alerts , 2004, ESORICS.

[22]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[23]  Peng Ning,et al.  Reasoning about complementary intrusion evidence , 2004, 20th Annual Computer Security Applications Conference.

[24]  Sushil Jajodia,et al.  An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts , 2005, ESORICS.

[25]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[26]  A. Siraj,et al.  Multi-level alert clustering for intrusion detection sensor data , 2005, NAFIPS 2005 - 2005 Annual Meeting of the North American Fuzzy Information Processing Society.

[27]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[28]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[29]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[30]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[31]  Maria Papadaki,et al.  Investigating the problem of IDS false alarms: An experimental study using Snort , 2008, SEC.

[32]  Peng Ning,et al.  An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[33]  P. Ning,et al.  Towards Automating Intrusion Alert Analysis ∗ , 2003 .

[34]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[35]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[36]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[37]  Robert P. Goldman,et al.  Plan recognition in intrusion detection systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[38]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[39]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[40]  Hossein Saidi,et al.  Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach , 2012, ISC Int. J. Inf. Secur..

[41]  Nathalie Japkowicz,et al.  Clustering using an Autoassociator: A Case Study in Network Event Correlation , 2005, IASTED PDCS.

[42]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[43]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[44]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[45]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[46]  Ali A. Ghorbani,et al.  A Rule-based Temporal Alert Correlation System , 2007, Int. J. Netw. Secur..

[47]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[48]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[49]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[50]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[51]  Hervé Debar,et al.  Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information , 2004, RAID.

[52]  Izzeldin M. Osman,et al.  Intrusion Alert Correlation Framework: An Innovative Approach , 2013 .

[53]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[54]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.