Skip to main content
SpringerLink
Log in

IDS alerts correlation using grammar-based approach

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Intrusion Detection System (IDS) is a security technology that attempts to identify intrusions. Defending against multi-step intrusions which prepare for each other is a challenging task. In this paper, we propose a novel approach to alert post-processing and correlation, the Alerts Parser. Different from most other alert correlation methods, our approach treats the alerts as tokens and uses modified version of the LR parser to generate parse trees representing the scenarii in the alerts. An Attribute Context-Free Grammar (ACF-grammar) is used for representing the multi-step attacks. Attack scenarii information and prerequisites/consequences knowledge are included together in the ACF-grammar enhancing the correlation results. The modified LR parser depends on these ACF-grammars to generate parse trees. The experiments were performed on two different sets of network traffic traces, using different open-source and commercial IDS sensors. The discovered scenarii are represented by Correlation Graphs (CGs). The experimental results show that Alerts Parser can work in parallel, effectively correlate related alerts with low false correlation rate, uncover the attack strategies, and generate concise CGs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Stefan, A.: The base-rate fallacy and its implications for the intrusion detection. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, pp. 1–7. Kent Ridge Digital Labs, Singapore (1999)

  2. Pietraszek T., Tanner A.: Data mining and machine learning-towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. 10, 169–183 (2005)

    Article  Google Scholar 

  3. Yu J., Reddy Y.V.R., Selliah S., Reddy S., Bharadwaj V., kankanahalli S.: TRINETR: an architecture for collaborative intrusion detection and knowledge-based alert evaluation. J. Adv. Eng. Inform. 19, 93–101 (2005)

    Article  Google Scholar 

  4. Perdisci R., Giacinto G., Roli F.: Alarm clustering for intrusion detection systems in computer networks. Eng. Appl. Artif. Intell. 19, 429–438 (2006)

    Article  Google Scholar 

  5. Julisch K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur. 6, 443–471 (2003)

    Article  Google Scholar 

  6. Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceeding of 11th Annual Network and Distributed System Security (NDSS’04), pp. 97–111 (2004)

  7. Dain, O.M., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceeding of ACM Workshop on Data Mining for Security Applications, pp. 231–235 (2001)

  8. Qin, X., Lee, W.: Statistical causality analysis of INFOSEC alert data. In: Proceeding of 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, pp. 591–627 (2003)

  9. Ning P., Cui Y., Reeves D.S., Xu D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. 7, 274–318 (2004)

    Article  Google Scholar 

  10. Yu D., Frincke D.: Improving the quality of alerts and predicting intruder’s next goal with hidden colored petri-net. Comput. Netw. 51, 632–654 (2007)

    Article  MATH  Google Scholar 

  11. Wang L., Liu A., Jajodia S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. J. Com. Commun. 29, 2917–2933 (2006)

    Article  Google Scholar 

  12. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, LNCS vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

  13. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (2002)

  14. MIT Lincoln Lab., DARPA Intrusion Detection Scenario Specific Datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html

  15. DEFCON Captures the Flag (CTF) Contest. http://cctf.shmoo.com/data/cctf-defcon8/

  16. Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, pp. 115–137 (2002)

  17. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceeding of Ninth ACM Conference on Computer and Communications Security (CCS’02), pp. 217–224 (2002)

  18. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceeding of IEEE Symposium on Security and Privacy (S&P’02), pp. 273–284 (2002)

  19. Noel, S., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distance. In: Proceeding of 20th Annual Computer Security Applications Conference (ACSAC’04) (2004)

  20. Roesch, M.: Snort-lightweight intrusion detection for networks. In: Proceeding of USENIX LISA Conference, pp. 229–238 (1999)

  21. Internet Security Systems, RealSecure Intrusion Detection System. http://www.iss.net

  22. Sourcefire, Snort signature database, http://www.snort.org/pub-bin/sigs.cgi (2007)

  23. Internet Security Systems, RealSecure Signatures Reference Guide. http://documents.iss.net/literature/RealSecure/RS_Signatures_6.0.pdf

  24. Sipser M.: Introduction to the theory of computation, second ed. Massachusetts Institute of Technology, Cambridge (2006)

    Google Scholar 

  25. Ilgun K., Kemmerer R.A., Porras P.A.: State transition analysis: a rule-based intrusion detection system. IEEE Trans. Soft. Eng. 21, 181–199 (1995)

    Article  Google Scholar 

  26. Aho A.V., Sethi R., Ullman J.D.: Compilers, Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)

    Google Scholar 

  27. Power J.: Notes on Formal Language Theory and Parsing, Technical Report. National University of Ireland, Maynooth (2002)

    Google Scholar 

  28. Æ Mogensen. T.: Basics of Compiler Design, vol. 5, 2nd edn. http://www.diku.dk/~torbenm/Basics (2007)

  29. White, J.: Algorithms and Foundations Qualifier, Technical Report, January (2007)

  30. Serrano, A.: Integrating Alerts from Multiple Homogeneous Intrusion Detection Systems, Master Thesis, North Carolina State University, Raleigh (2003)

  31. AT & T Research Labs, Graphviz-open source graph layout and drawing software, http://www.research.att.com/sw/tools/graphviz/

  32. Hamza, L., Adi, K., El Guemhioui, K.: Automatic generation of attack scenarios for intrusion detection systems. In: Proceeding of IEEE AdvancedInternational Conference on Telecommunications and International Conference on Internet and Web Applications and Services (2006)

  33. Valeur, F.: Real-Time Intrusion Detection Alert Correlation, PhD Dissertation, University of California, Santa Barbara (2006)

  34. Debar, H., Wespi, A.: Aggregation and correlation of intrusion detection alerts. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, Davis, pp. 85–103 (2001)

  35. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion Detection Alerts, Presentation Slides, October (2001)

  36. Haines J., Ryder D.K., Tinnel L., Taylor S.: Validation of sensor alert correlators. IEEE Secur. Priv. Mag. 1(1), 46–56 (2003)

    Article  Google Scholar 

  37. Zhou J., Heckman M., Reynolds B., Carlson A., Bishop M.: Modeling network intrusion detection alerts for correlation. ACM Trans. Inf. Syst. Secur. 10, 1–31 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Harbin Institute of Technology, 150001, Harbin, China

    Safaa O. Al-Mamory & Hongli Zhang

Authors
  1. Safaa O. Al-Mamory
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hongli Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Safaa O. Al-Mamory.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Al-Mamory, S.O., Zhang, H. IDS alerts correlation using grammar-based approach. J Comput Virol 5, 271–282 (2009). https://doi.org/10.1007/s11416-008-0103-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0103-3

Keywords

Search

Navigation