Abstract
Cyber defense tools, such as intrusion detection systems, often produce huge amounts of alerts which must be parsed for defensive purposes, particularly cyber triage. In this paper, we utilize the notion of alert trees to represent the collection of routes that may have been used by a cyber attacker to compromise a set of computers. Although alert trees can be visualized to aid analysis, their usefulness in practice is often discounted by the fact that they can become unmanageable in size. This makes it difficult for cyber defenders to identify patterns or pinpoint network hotspots in order to prioritize defensive maneuvers, raising the need to reduce strain on defenders by minimizing the presence of non-critical information. To address this problem, we propose several methods, as well as a novel data structure, for modifying alert trees in order to reduce visual strain on defenders. We evaluate our methods using a real-world dataset, which demonstrates that our methods are effective at reducing redundancy while limiting collateral information loss.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Angelini, M., Prigent, N., Santucci, G.: PERCIVAL: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In: 2015 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–8. IEEE (2015)
Auber, D.: Tulip—a huge graph visualization framework. In: Jünger, M., Mutzel, P. (eds.) Graph Drawing Software. Mathematics and Visualization, pp. 105–126. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-642-18638-7_5
Batagelj, V., Mrvar, A.: Pajek-program for large network analysis. Connections 21(2), 47–57 (1998)
Brandstädt, A., Chepoi, V.D., Dragan, F.F.: The algorithmic use of hypertree structure and maximum neighbourhood orderings. Discret. Appl. Math. 82(1–3), 43–77 (1998)
Chen, Y., Boehm, B., Sheppard, L.: Value driven security threat modeling based on attack path analysis. In: 2007 40th Annual Hawaii International Conference on System Sciences (HICSS 2007), pp. 280a–280a. IEEE (2007)
Cisco: Snort - network intrusion detection & prevention system, March 2018. http://www.snort.org/downloads
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, p. 202 (2002)
Ellson, J., Gansner, E., Koutsofios, L., North, S.C., Woodhull, G.: Graphviz—open source graph drawing tools. In: Mutzel, P., Jünger, M., Leipert, S. (eds.) GD 2001. LNCS, vol. 2265, pp. 483–484. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45848-4_57
Ficke, E., Xu, S.: APIN: automatic attack path identification in computer networks. In: IEEE ISI 2020 (2020)
Gerbessiotis, A.V.: An architecture independent study of parallel segment trees. J. Discrete Algorithms 4(1), 1–24 (2006)
Goodall, J.R., et al.: Situ: identifying and explaining suspicious behavior in networks. IEEE Trans. Vis. Comput. Graph. 25(1), 204–214 (2019)
Gu, G., Cárdenas, A., Lee, W.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pp. 136–147 (2008)
Harshaw, C.R., Bridges, R.A., Iannacone, M.D., Reed, J.W., Goodall, J.R.: GraphPrints: towards a graph analytic method for network anomaly detection. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, CISRC 2016, pp. 15:1–15:4. ACM, New York (2016). https://doi.org/10.1145/2897795.2897806
Herman, I., Melançon, G., Marshall, M.S.: Graph visualization and navigation in information visualization: a survey. IEEE Trans. Visual Comput. Graphics 6(1), 24–43 (2000)
Kerzner, E., et al.: Graffinity: visualizing connectivity in large graphs. In: Computer Graphics Forum, vol. 36, pp. 251–260. Wiley Online Library (2017)
Lohfink, A.P., Anton, S.D.D., Schotten, H.D., Leitte, H., Garth, C.: Security in process: visually supported triage analysis in industrial process data. IEEE Trans. Visual Comput. Graphics 26(4), 1638–1649 (2020)
Nadeem, A., Verwer, S., Yang, S.J.: SAGE: intrusion alert-driven attack graph extractor. In: 2021 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 36–41. IEEE (2021)
Nettleton, D.F.: Information loss evaluation based on fuzzy and crisp clustering of graph statistics. In: 2012 IEEE International Conference on Fuzzy Systems, pp. 1–8. IEEE (2012)
Nettleton, D.F., Torra, V., Dries, A.: The effect of constraints on information loss and risk for clustering and modification based graph anonymization methods. arXiv preprint arXiv:1401.0458 (2014)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 245–254 (2002)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 200–209 (2003)
Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_14
Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 1–10 (2006)
Salah, S., Maciá-Fernández, G., Díaz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57(5), 1289–1317 (2013)
Schidler, A., Szeider, S.: Computing optimal hypertree decompositions. In: 2020 Proceedings of the Twenty-Second Workshop on Algorithm Engineering and Experiments (ALENEX), pp. 1–11. SIAM (2020)
Sethi, A., Wills, G.: Expert-interviews led analysis of EEVi-a model for effective visualization in cyber-security. In: 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–8. IEEE (2017)
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp. 108–116 (2018)
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)
Acknowledgments
This work was supported in part by NSF Grants #1736209, #2122631 and #2115134, and by Colorado State Bill 18-086.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ficke, E., Bateman, R.M., Xu, S. (2022). Reducing Intrusion Alert Trees to Aid Visualization. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham. https://doi.org/10.1007/978-3-031-23020-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-23020-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23019-6
Online ISBN: 978-3-031-23020-2
eBook Packages: Computer ScienceComputer Science (R0)