Abstract
Intrusion Detection Systems usually report a huge number of alerts every day. Since abstraction level of these alerts is very low, analyzing and discovering the attack strategies behind the alerts are not easy or even possible. Alert correlation methods have been developed to decrease the number of alerts and provide a high-level abstraction of them. In this paper, we propose a method to estimate correlation probabilities between alerts. The concept of time windows is applied in a special way to decrease the complexity and increase the accuracy as well. Besides, we suggest a compression method for more reduction in the number of comparisons needed for correlating alerts and making the output of the method more intelligible. Our experiments reveal while the proposed correlation method performs accurately, its complexity dropped noticeably compared to previous methods.
This project has been supported in part by the Iran Telecommunication Research Center(ITRC) under grant no.T/500/20120.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ahmadinejad, S.H., Jalili, S.: Alert correlation using correlation probability estimation and time windows. In: International Conference on Information Theory and Engineering, Kota Kinabalu, Malaysia. IEEE Computer Society CPS, Los Alamitos (2009)
Friedman, J., Hastie, T., Tibshirani, R.: Additive logistic regression: A statistical view of boosting. Annals of statistics, 337–374 (2000)
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html Darpa 2000 intrusion detection evaluation datasets (2000)
Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Submitted for publication. Technical report, Available as Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (2002)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 200–209. ACM, New York (2003)
Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2001)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006)
Siraj, A., Vaughn, R.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005)
Li, Z., Zhang, A., Lei, J., Wang, L.: Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering, pp. 73–80. IEEE Computer Society, Washington (2007)
Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. Applications of Data Mining and Computer Security (2002)
Zhu, B., Ghorbani, A.: Alert correlation for extracting attack strategies. International Journal of Network Security 3(3), 244–258 (2006)
Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Benjamin, M., Herve, D.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ahmadinejad, S.H., Jalili, S. (2009). Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows. In: Ślęzak, D., Kim, Th., Fang, WC., Arnett, K.P. (eds) Security Technology. SecTech 2009. Communications in Computer and Information Science, vol 58. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10847-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-10847-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10846-4
Online ISBN: 978-3-642-10847-1
eBook Packages: Computer ScienceComputer Science (R0)