Abstract
It is difficult for security administrators to detect attacks well when they are faced with large amounts of multi-platform multi-source alert data. However, most attack events are not isolated and has a certain number of steps. With the help of alert correlation, attacks can be revealed well. In our paper, we propose a PMASP (Purpose-oriented Maximum Attack Sequence Patterns) algorithm for threat detection based on alert correlation. Firstly, we format alarm records and reduce redundant alarms. Then, with the help of attack classification, we generate initial attack sequences through clustering. Later, PMASP is employed to dig out frequent sequences set. Finally, we use xml language to construct rules for detection. These rules represent some attack patterns which are helpful for security administrators. We simulate several attacks and use some rules to detect. The detection rate shows that the rule is reasonable and effectively.
Similar content being viewed by others
References
Bray T, Paoli J, Sperberg-Mcqueen CM, Maler E (2007) Extensible markup language (xml) 1.0. World Wide Web J 2(4):29–66
Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts 2212, pp 85–103
Endorf C, Schultz E, Mellander J (2004) Intrusion detection& prevention
Faraji D, Abbaspour M (2016) Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework. Secur Commun Netw 9(14):2245–2260
Feng X, Wang D, Huang M, Li J (2014) A causal knowledge mining method based on markov property. J Comput Res Dev 51(11):2493–2504
Fredj O (2015) A realistic graph-based alert correlation system. Wiley, New York
Fournier-Viger P, Wu CW, Tseng VS (2013) Mining maximal sequential patterns without candidate maintenance. In: Proceedings of the 9th international conference on advanced data mining and applications, pp 169–180
Ghasemigol M, Ghaemi-Bafghi A (2015) E-correlator: an entropy-based alert correlation system. Secur Commun Netw 8(5):822–836
Govindarajanm M, Chandrasekaranr M (2011) Intrusion detection using neural based hybrid classification methods. Comput Netw 55(8):1662–1671
Idmef, https://en.wikipedia.org/wiki/Intrusion_Detection_Message_Exchange_Format
Kawakani C, Junior S, Miani R (2016) Intrusion alert correlation to support security management. In: Xii Brazilian symposium on information systems on Brazilian symposium on information systems: information systems in the cloud computing era, p 42
Li H (2004) Research on intrusion event correlation method based on interactive knowledge discovery. J Comput Res Dev 41(1):1911–1918
Lichodzijewski P, Zineir-Heywood AN, Heywood MI (2002) Host-based intrusion detection using self-organizing maps. IEEE Comput Soc 2:1714–1719
Lippmann R, Webster S, Stetson D (2002) The effect of identifying vulnerabilities and pathing software on the utility of network intrusion detection. In: The 5th international symposium on recent advances in intrusion detection
Liu X, Xia Y, Wang Y, Ren J (2014) Discovering anomaly on the basis of flow estimation of alert feature distribution. Secur Commun Netw 7(10):1570–1581
Liu X, Huet B (2016) Event-based cross media question answering. Multi Syst 75(3):1495–1508
Liu X, Xia Y, Chen W, Xiang Y, Hassan MM, Alelaiwi A (2016) semd: Secure and efficient message dissemination with policy enforcement in vanet. J Comput Syst Sci 82(8):1316–1328
Ma J, Jin M, Yang Y, Zhang J (2012) Privacy preserving multi-step attack association algorithm based on sequential pattern mining. J Tsinghua Univ (Sci Technol) 52(10):1427–1434
Ning P, Cui Y, Reeves D (2004) Techniques and tools for analyzing intrusion alerts. In: ACM transactions on information and system security, pp 274–317
Ramaki A, Khosravi-Farmad M, Bafghi A (2016) Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights. In: International Iranian society of cryptology conference on information security and cryptology
Sekar R, Bendre M, Dhurjati D (2001) A fast automation-based method for detecting anomalous program behaviors. In: Proceedings of the IEEE symposium on security and privacy. IEEE Computer Society, pp 144–152
Tian Z, Zhang Y, Zhang W, Li Y, Ye J (2009) Adaptive alarm correlation based on pattern mining and clustering analysisy. J Comput Res Dev 46(8):1304–1315
Wang YCCH Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights
Wang Z, Yuan P, Huang X (2016) Research on a new multi step attack scenario construction technology. J Southwest Univ Sci Technol 31(1):55–60
Xia Y, Xia F, Liu X, Sun X, Liu Y, Ge Y (2014) An improved privacy preserving construction for data integrity verification in cloud storage. KSII Trans Inter Inf Syst 8(10):3607–3623
Xia Y, Liu X, Xia F, Wang G (2016) A reduction of security notions in designated confirmer signatures. Theor Comput Sci 618:1–20
Xu Y (2011) Research on network attack classification. Silicon Valley, pp 109–109
Yan H, Liu X, Hong R (2016) Image classification via fusing the latent deep cnn feature. In: International conference on internet multimedia computing and service, pp 110–113
Ye X, Han M (2018) Alert correlation using support vector machine for multi intrusion detection systems. J Theor Appl Inf Tech 96(2):400–407
Zhang J, Li X, Wang H Real-time alert correlation approach based on attack planning graph. J Comput Appl 36(6):1538–1543
Acknowledgements
This study was partly supported by the following funds: National Natural Science Foundation of China under grant numbers 61472113 and 61304188 , and Zhejiang Provincial Natural Science Foundation of China under grant numbers LZ13F020004 and LR14F020003.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Lu, X., Han, J., Ren, Q. et al. Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimed Tools Appl 79, 33349–33363 (2020). https://doi.org/10.1007/s11042-018-6689-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-018-6689-7