Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows

Ahmadinejad, Seyed Hossein; Jalili, Saeed

doi:10.1007/978-3-642-10847-1_3

Seyed Hossein Ahmadinejad⁵ &
Saeed Jalili⁵

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 58))

Included in the following conference series:

International Conference on Security Technology

801 Accesses
1 Citations

Abstract

Intrusion Detection Systems usually report a huge number of alerts every day. Since abstraction level of these alerts is very low, analyzing and discovering the attack strategies behind the alerts are not easy or even possible. Alert correlation methods have been developed to decrease the number of alerts and provide a high-level abstraction of them. In this paper, we propose a method to estimate correlation probabilities between alerts. The concept of time windows is applied in a special way to decrease the complexity and increase the accuracy as well. Besides, we suggest a compression method for more reduction in the number of comparisons needed for correlating alerts and making the output of the method more intelligible. Our experiments reveal while the proposed correlation method performs accurately, its complexity dropped noticeably compared to previous methods.

This project has been supported in part by the Iran Telecommunication Research Center(ITRC) under grant no.T/500/20120.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Ahmadinejad, S.H., Jalili, S.: Alert correlation using correlation probability estimation and time windows. In: International Conference on Information Theory and Engineering, Kota Kinabalu, Malaysia. IEEE Computer Society CPS, Los Alamitos (2009)
Google Scholar
Friedman, J., Hastie, T., Tibshirani, R.: Additive logistic regression: A statistical view of boosting. Annals of statistics, 337–374 (2000)
Google Scholar
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html Darpa 2000 intrusion detection evaluation datasets (2000)
Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Submitted for publication. Technical report, Available as Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (2002)
Google Scholar
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 200–209. ACM, New York (2003)
Chapter Google Scholar
Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2001)
Google Scholar
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006)
Article Google Scholar
Siraj, A., Vaughn, R.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005)
Google Scholar
Li, Z., Zhang, A., Lei, J., Wang, L.: Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering, pp. 73–80. IEEE Computer Society, Washington (2007)
Google Scholar
Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. Applications of Data Mining and Computer Security (2002)
Google Scholar
Zhu, B., Ghorbani, A.: Alert correlation for extracting attack strategies. International Journal of Network Security 3(3), 244–258 (2006)
Google Scholar
Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Google Scholar
Benjamin, M., Herve, D.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Google Scholar

Download references

Author information

Authors and Affiliations

Faculty of Electrical and Computer Engineering, Tarbiat Modares University,
Seyed Hossein Ahmadinejad & Saeed Jalili

Authors

Seyed Hossein Ahmadinejad
View author publications
You can also search for this author in PubMed Google Scholar
Saeed Jalili
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

University of Warsaw & Infobright Inc.,, Poland
Dominik Ślęzak
Hannam University, 306-791, Daejeon, South Korea
Tai-hoon Kim
National Chiao Tung University, Hsinchu, Taiwan
Wai-Chi Fang
Mississippi State University, Mississippi State MS, USA
Kirk P. Arnett

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ahmadinejad, S.H., Jalili, S. (2009). Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows. In: Ślęzak, D., Kim, Th., Fang, WC., Arnett, K.P. (eds) Security Technology. SecTech 2009. Communications in Computer and Information Science, vol 58. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10847-1_3

Download citation

DOI: https://doi.org/10.1007/978-3-642-10847-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10846-4
Online ISBN: 978-3-642-10847-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics