Skip to main content
SpringerLink
Log in

Network threat detection based on correlation analysis of multi-platform multi-source alert data

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

It is difficult for security administrators to detect attacks well when they are faced with large amounts of multi-platform multi-source alert data. However, most attack events are not isolated and has a certain number of steps. With the help of alert correlation, attacks can be revealed well. In our paper, we propose a PMASP (Purpose-oriented Maximum Attack Sequence Patterns) algorithm for threat detection based on alert correlation. Firstly, we format alarm records and reduce redundant alarms. Then, with the help of attack classification, we generate initial attack sequences through clustering. Later, PMASP is employed to dig out frequent sequences set. Finally, we use xml language to construct rules for detection. These rules represent some attack patterns which are helpful for security administrators. We simulate several attacks and use some rules to detect. The detection rate shows that the rule is reasonable and effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Bray T, Paoli J, Sperberg-Mcqueen CM, Maler E (2007) Extensible markup language (xml) 1.0. World Wide Web J 2(4):29–66

    Google Scholar 

  2. Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts 2212, pp 85–103

  3. Endorf C, Schultz E, Mellander J (2004) Intrusion detection& prevention

  4. Faraji D, Abbaspour M (2016) Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework. Secur Commun Netw 9(14):2245–2260

    Article  Google Scholar 

  5. Feng X, Wang D, Huang M, Li J (2014) A causal knowledge mining method based on markov property. J Comput Res Dev 51(11):2493–2504

    Google Scholar 

  6. Fredj O (2015) A realistic graph-based alert correlation system. Wiley, New York

    Book  Google Scholar 

  7. Fournier-Viger P, Wu CW, Tseng VS (2013) Mining maximal sequential patterns without candidate maintenance. In: Proceedings of the 9th international conference on advanced data mining and applications, pp 169–180

  8. Ghasemigol M, Ghaemi-Bafghi A (2015) E-correlator: an entropy-based alert correlation system. Secur Commun Netw 8(5):822–836

    Article  Google Scholar 

  9. Govindarajanm M, Chandrasekaranr M (2011) Intrusion detection using neural based hybrid classification methods. Comput Netw 55(8):1662–1671

    Article  Google Scholar 

  10. Idmef, https://en.wikipedia.org/wiki/Intrusion_Detection_Message_Exchange_Format

  11. Kawakani C, Junior S, Miani R (2016) Intrusion alert correlation to support security management. In: Xii Brazilian symposium on information systems on Brazilian symposium on information systems: information systems in the cloud computing era, p 42

  12. Li H (2004) Research on intrusion event correlation method based on interactive knowledge discovery. J Comput Res Dev 41(1):1911–1918

    Google Scholar 

  13. Lichodzijewski P, Zineir-Heywood AN, Heywood MI (2002) Host-based intrusion detection using self-organizing maps. IEEE Comput Soc 2:1714–1719

    Google Scholar 

  14. Lippmann R, Webster S, Stetson D (2002) The effect of identifying vulnerabilities and pathing software on the utility of network intrusion detection. In: The 5th international symposium on recent advances in intrusion detection

  15. Liu X, Xia Y, Wang Y, Ren J (2014) Discovering anomaly on the basis of flow estimation of alert feature distribution. Secur Commun Netw 7(10):1570–1581

    Article  Google Scholar 

  16. Liu X, Huet B (2016) Event-based cross media question answering. Multi Syst 75(3):1495–1508

    Google Scholar 

  17. Liu X, Xia Y, Chen W, Xiang Y, Hassan MM, Alelaiwi A (2016) semd: Secure and efficient message dissemination with policy enforcement in vanet. J Comput Syst Sci 82(8):1316–1328

    Article  MathSciNet  Google Scholar 

  18. Ma J, Jin M, Yang Y, Zhang J (2012) Privacy preserving multi-step attack association algorithm based on sequential pattern mining. J Tsinghua Univ (Sci Technol) 52(10):1427–1434

    Google Scholar 

  19. Ning P, Cui Y, Reeves D (2004) Techniques and tools for analyzing intrusion alerts. In: ACM transactions on information and system security, pp 274–317

  20. Ramaki A, Khosravi-Farmad M, Bafghi A (2016) Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights. In: International Iranian society of cryptology conference on information security and cryptology

  21. Sekar R, Bendre M, Dhurjati D (2001) A fast automation-based method for detecting anomalous program behaviors. In: Proceedings of the IEEE symposium on security and privacy. IEEE Computer Society, pp 144–152

  22. Tian Z, Zhang Y, Zhang W, Li Y, Ye J (2009) Adaptive alarm correlation based on pattern mining and clustering analysisy. J Comput Res Dev 46(8):1304–1315

    Google Scholar 

  23. Wang YCCH Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights

  24. Wang Z, Yuan P, Huang X (2016) Research on a new multi step attack scenario construction technology. J Southwest Univ Sci Technol 31(1):55–60

    Google Scholar 

  25. Xia Y, Xia F, Liu X, Sun X, Liu Y, Ge Y (2014) An improved privacy preserving construction for data integrity verification in cloud storage. KSII Trans Inter Inf Syst 8(10):3607–3623

    Google Scholar 

  26. Xia Y, Liu X, Xia F, Wang G (2016) A reduction of security notions in designated confirmer signatures. Theor Comput Sci 618:1–20

    Article  MathSciNet  Google Scholar 

  27. Xu Y (2011) Research on network attack classification. Silicon Valley, pp 109–109

  28. Yan H, Liu X, Hong R (2016) Image classification via fusing the latent deep cnn feature. In: International conference on internet multimedia computing and service, pp 110–113

  29. Ye X, Han M (2018) Alert correlation using support vector machine for multi intrusion detection systems. J Theor Appl Inf Tech 96(2):400–407

    Google Scholar 

  30. Zhang J, Li X, Wang H Real-time alert correlation approach based on attack planning graph. J Comput Appl 36(6):1538–1543

Download references

Acknowledgements

This study was partly supported by the following funds: National Natural Science Foundation of China under grant numbers 61472113 and 61304188 , and Zhejiang Provincial Natural Science Foundation of China under grant numbers LZ13F020004 and LR14F020003.

Author information

Authors and Affiliations

  1. State Grid ZHEJIANG Electric Power Company, Electric Power Research Institute, Hangzhou, China

    Xindai Lu, Jiajia Han, Hua Dai & Jiyuan Li

  2. ZHEJIANG Huayun Information Technology co., Ltd, Hangzhou, China

    Qianbo Ren

  3. College of Computer Science, ZHEJIANG University, Hangzhou, China

    Jing Ou

Authors
  1. Xindai Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiajia Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qianbo Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hua Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jiyuan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jing Ou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Ou.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lu, X., Han, J., Ren, Q. et al. Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimed Tools Appl 79, 33349–33363 (2020). https://doi.org/10.1007/s11042-018-6689-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-018-6689-7

Keywords

Search

Navigation