Algebra for Capability Based Attack Correlation

Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a strong need to identify the algebraic and set properties of capability. In this work, we identify the potential algebraic properties of capability in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which will be helpful in making the system modular. This paper also presents variant of correlation algorithm by using these algebraic properties. To make these operations more realistic, existing capability model has been empowered by adding time-based notion which helps to avoid temporal ambiguity between capability instances. The comparison between basic model and proposed model is exhibited by demonstrating cases in which false positives have been removed that occurred due to temporal ambiguity.