An Alarm Flow Decomposition Method for Security Threat Evaluation

How to analyze security alarms automatically and find useful information form them has attract a lot of interests. Although many alarm correlation approaches and risk assessment methods have been proposed, most of them were implemented with high computational complexity and time consuming, and they can not deal well with huge number of security alarms. This work focus on performing an real-time security threat evaluation. We aggregate individual alarms to alarm flows, and then process the flows instead of individual alarms. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the alarm flow can be decomposed into leading components and residual components. Leading components represent the basic part and residual components represent the noise part of the flow. To capture the main features of the leading components forming the alarm flow, we accomplish the security threat evaluation. Case based experiments real network data shows the effectiveness of the method. To the best of our knowledge, this is the first study that applies SSA on the analysis of IDS alarm flows.