Case-Oriented Alert Correlation
نویسنده
چکیده
Correlating alerts is of importance for identifying complex attacks and discarding false alerts. Most popular alert correlation approaches employ some well-defined knowledge to uncover the connections among alerts. However, acquiring, representing and justifying such knowledge has turned out to be a nontrivial task. In this paper, we propose a novel method to work around these difficulties by using case-based reasoning (CBR). In our application, a case, constructed from training data, serves as an example of correlated alerts. It consists of a pattern of alerts caused by an attack and the identity of the attack. The runtime alert stream is then compared with each case, to see if any subset of the runtime alerts are similar to the pattern in the case. The process is reduced to a matching problem. Two kinds of matching methods were explored. The latter is much more efficient than the former. Our experiments with the DARPA Grand Challenge Problem attack simulator have shown that both produce almost the same results and that case-oriented alert correlation is effective in detecting intrusions. Key-Words: Alert Correlation, Case-Based Reasoning, Data Mining, Intrusion Detection
منابع مشابه
Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملApplication of Case-Based Reasoning to Multi-Sensor Network Intrusion Detection
An intrusion detection system (IDS) is generally limited by having a single detection model and a single information source for detecting attacks. Multi-sensor (or meta) intrusion detection addresses this problem by combining results of multiple IDSs and providing global decisions. Nearly all current meta-IDSs are either statistics-based or logical rule-based and typically require substantial h...
متن کاملUsing a Deep Understanding of Network Activities for Security Event Management
With the growing deployment of host-based and network-based intrusion detection systems in increasingly large and complex communication networks, managing low-level alerts from these systems becomes critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion prevention systems (IPSs) are collected throughout a monitored network such that...
متن کاملAn Alert Correlation Analysis Oriented Incremental Mining Algorithm of Closed Sequential Patterns with Gap Constraints
Large-scale network attacks will bring great damage to the network. Although the existing detection systems are able to detect a large number of known attacks, when facing large-scale network attacks, log data generated by these systems usually increases rapidly, which forms vast amount of alert information in a short period of time. This paper researches on picking up alert information efficie...
متن کاملAlert correlation and prediction using data mining and HMM
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...
متن کامل