Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach

Authors

Abstract:

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in practice. To provide a picture of the current intrusive activity on the network, we need a real-time alert correlation. Most causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method, the knowledge base of the attack patterns is represented in a graph model called the Causal Relations Graph. In the offline mode, we construct Queue trees related to alerts' probable correlations. In the real-time mode, for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Therefore, the processing time of each alert decreases significantly. In addition, the proposed method is immune to deliberately slowed attacks. To verify the proposed method, it was implemented and tested using DARPA2000 dataset. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the running time.

Upgrade to premium to download articles

Sign up to access the full text

Already have an account?login

similar resources

Real-Time Intrusion Detection Alert Correlation

Real-Time Intrusion Detection Alert Correlation

full text

Multistep Attack Detection and Alert Correlation in Intrusion Detection Systems

A growing trend in the cybersecurity landscape is represented by multistep attacks that involve multiple correlated intrusion activities to reach the intended target. The duty of correlating security alerts and reconstructing complete attack scenarios is left to system administrators because current Network Intrusion Detection Systems (NIDS) are still oriented to generate alerts related to sing...

full text

Intrusion alert prioritisation and attack detection using post-correlation analysis

Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today’s networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly...

full text

A Comprehensive Approach to Intrusion Detection Alert Correlation

Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches...

full text

Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance

Intrusion detection is an important security tool. It has the possibility to provide valuable information about the current status of security. However, as enterprises deploy multiple intrusion detection sensors at key points in their networks, the issue of correlating messages from these sensors becomes increasingly important. A correlation capability reduces alert volume, and potentially impr...

full text

My Resources

Save resource for easier access later

Save to my library Already added to my library

{@ msg_add @}


Journal title

volume 4  issue 2

pages  125- 136

publication date 2012-07-01

By following a journal you will be notified via email when a new issue of this journal is published.

Hosted on Doprax cloud platform doprax.com

copyright © 2015-2023