Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation
نویسندگان
چکیده
Intrusion alert correlation is the process to identify high-level attack scenarios by reasoning about low-level alerts raised by intrusion detection systems (IDS). The efficiency of intrusion alert correlation is critical in enabling interactive analysis of intrusion alerts as well as prompt responses to attacks. This paper presents an experimental study aimed at adapting main memory index structures (e.g., T Trees, Linear Hashing) and database query optimization techniques (e.g., nested loop join, sort join) for efficient correlation of intensive alerts. By taking advantage of the characteristics of the alert correlation process, this paper presents three techniques named hyper-alert container, two-level index, and sort correlation. This paper then reports a series of experiments designed to evaluate the effectiveness of these techniques. These experiments demonstrate that (1) hyper-alert containers improve the efficiency of order-preserving index structures (e.g., T Trees), with which an insertion operation involves search, (2) two-level index improves the efficiency of all index structures, (3) a two-level index structure combining Chained Bucket Hashing and Linear Hashing is the most efficient for streamed alerts with and without memory constraint, and (4) sort correlation with heap sort algorithm is the most efficient for alert correlation in batch.
منابع مشابه
Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملAlert correlation and prediction using data mining and HMM
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...
متن کاملIntrusion Alert Correlation Technique Analysis for Heterogeneous Log
Intrusion alert correlation is multi-step processes that receives alerts from heterogeneous log resources as input and produce a high-level description of the malicious activity on the network. The objective of this study is to analyse the current alert correlation technique and identify the significant criteria in each technique that can improve the Intrusion Detection System (IDS) problem suc...
متن کاملM4D4: a Logical Framework to Support Alert Correlation in Intrusion Detection
Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. M...
متن کاملBuilding Attack Scenarios through Integration of Complementary Alert Correlation Method
Several alert correlation methods were proposed in the past several years to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). These correlation methods have different strengths and limitations; none of them clearly dominate the others. However, all of these methods depend heavily on the underlying IDSs, and perform poorly when...
متن کامل