Abstract
Deploying a large number of information security (INFOSEC) systems can provide in-depth protection for systems and networks. However, the sheer number of security alerts output by security sensors can overwhelm security analysts and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alarm redundancy, intelligently correlate security alerts and detect attack strategies. Alert correlation is therefore a core component of a security management system.
Correlating security alerts and discovering attack strategies are important and challenging tasks for security analysts. Recently, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. In addition, these approaches focus more on the aggregation and analysis of raw security alerts, and build basic or low-level attack scenarios.
This paper focuses on discovering novel attack strategies via analysis of security alerts. Our integrated alert correlation system helps security administrator aggregate redundant alerts, filter out unrelated attacks, correlate security alerts and analyze attack scenarios.
Our integrated correlation system consists of three complementary correlation mechanisms based on two hypotheses of attack step relationship. The first hypothesis is that some attack steps are directly related because an earlier attack enables or positively affects the later one. We have developed a probabilistic-based correlation engine that incorporates domain knowledge to correlate alerts with direct causal relationship. The second hypothesis is that some related attack steps, even though they do not have obvious or direct (or known) relationship in terms of security and performance measures, still exhibit statistical and temporal patterns. For this category of relationship, we have developed two correlation engines to discover attack transition patterns based on statistical analysis and temporal pattern analysis, respectively. Based on the correlation results of these three correlation engines, we construct attack scenarios and conduct attack path analysis. The security analysts are presented with aggregated information on attack strategies from the integrated correlation system.
We evaluate our approaches using DARPA’s Grand Challenge Problem (GCP) data sets. Our evaluation shows that our approach can effectively discover novel attack strategies, provide a quantitative analysis of attack scenarios and identify attack plans.
The work was done when the author was at College of Computing at Georgia Institute of Technology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
E. Bauer, D. Koller, and Y. Singer. Update rules for parameter estimation in Bayesian networks. In Proceedings of the Thirteenth Conference on Uncertainty in Artificial Intelligence (UAI), pages 3–13, Providence, RI, August 1997.
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, and R.K. Mehra. Proactive intrusion detection and distributed denial of service attacks-a case study in security management. Journal of Network and Systems Management, vol. 10 (no.2), June 2002.
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study. In Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM 2001), May 2001.
J. B. D. Cabrera and R. K. Mehra. Extracting precursor rules from time series-a classical statistical viewpoint. In Proceedings of the Second SIAM International Conference on Data Mining, pages 213–228, Arlington, VA, USA, April 2002.
P. E. Caines and C. W. Chan. Feedback between stationary stastic process. IEEE Transactions on Automatic Control, 20:495–508, 1975.
J. Cheng, R. Greiner, J. Kelly, D. Bell, and W. Liu. Learning bayesian networks from data: An information-theory based approach. Artificial Intelligence, vol. 137:43–90, 2002.
S. Cheung, U. Lindqvist, and M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C., April 2003.
R. V. Chitturi. Distribution of residual autocorrelations in multiple autoregressive schemes. Journal of American Statistician Association, 69:928–934, 1974.
I. Cohen, A. Bronstein, and F. G. Cozman. Online learning of bayesian network parameters. Hewlett Packard Laboratories Technical Report, HPL-2001-55(R.1), June 2001.
G. F. Cooper and E. Herskovits. A bayesian method for constructing bayesian belief networks from databases. In Proceedings of the Seventh Conference on Uncertainty in Artificial Intelligence, 1991.
T. Cover and J. Thomas. Elements of Information Theory, John Wiley, 1991.
F. Cuppens and A. Miège. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 202–215, Oakland, CA, May 2002.
DAPRA Cyber Panel Program. DARPA cyber panel program grand challenge problem (GCP). http://www.grandchallengeproblem.net/, 2003.
H. Debar and A. Wespi. The intrusion-detection console correlation mechanism. In 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.
D. A. Dickey and W. A. Fuller. Distribution of the estimators for autoregressive time series with a unit root. Journal of American Statistician Association, 74:427–431, 1979.
N. Friedman, I. Nachman, and D. Peer. Learning bayesian network structure from massive datasets: The sparse candidate algorithm. In Proceedings of the 15th Conference on Uncertainty in Artificial Intelligence, 1999.
C. W. Geib and R. P. Goldman. Plan recognition in intrusion detection system. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
M. R. Gevers and B. D. O. Anderson. Representations of jointly stationary stochastic feedback processes. International Journal of Control, 33:777–809, 1981.
R. P. Goldman, W. Heimerdinger, and S. A. Harp. Information modeling for intrusion report aggregation. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
C. W. J. Granger. Investigating causal relations by econometric methods and cross-spectral methods. Econometrica, 34:424–428, 1969.
IETF Intrusion Detection Working Group. Intrusion detection message exchange format. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-09.txt, 2002.
J. Haines, D. K. Ryder, L. Tinnel, and S. Taylor. Validation of sensor alert correlators. IEEE Security & Privacy Magazine, January/February, 2003.
J. Hamilton. Time Series Analysis. Princeton University Press, 1994.
A. J. Hayter. Probability and Statistics for Engineers and Scientists. Duxbury Press, 2002.
D. Heckerman, C. Meek, and G. F. Cooper, A bayesian approach to causal discovery. In Book of Computation, Causation, and Discovery, C. Glymour and G. Cooper, editors. MIT Press, 1999.
W. Hesse, E. Moller, M. Arnold, H. Witte, and B. Schack. Investigation of time-variant causal interactions between two eeg signals by means of the adaptive granger causality. Brain Topography, 15:265–266, 2003.
J. R. M. Hosking. Lagrange multiplier tests of multivariate time series models. Journal of The Royal Statistical Society Series B, 43:219–230, 1981.
G. Jakobson and M. Weissman. Real-time telecommunication network management: Extending event correlation with temporal constraints. In Proceedings of (he Fourth IFIP/IEEE International Symposium on Integrated Network Management (IM 1995), May 1995.
S. Johansen. Statistical analysis of co-integration vectors. Journal of Economic Dynamics and Control, 1:321–346, 1988.
K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.
M. Kaminski, M. Ding, W. A. Truccolo, and S. L. Bressler. Evaluating causal relations in neural systems: Granger causality, direct transfer function (dtf) and statistical assessment of significance. Biological Cybernetics, 85:145–157, 2001.
R. K. Kaufamnn and D. I. Stern. Evidence for human influence on climate from hemispheric temperature relations. Nature, 388:39–44, July 1997.
S. Kliger, S. Yemini, Y. Yemini, D. Oshie, and S. Stolfo. A coding approach to event correlations. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1995.
C. Krugel, T. Toth, and C. Kerer. Decentralized event correlation for intrusion detection. In Proceedings of the 4th International Conference on Information Security and Cryptology, 2001.
H. Lee, K. S. Lin, and J. Wu. Pitfalls in using granger causality tests to find an engine of growth. Applied Economics Letters, 9:411–414, May 2002.
L. Lewis. A case-based reasoning approach to the management of faults in communication networks. In Proceedings of the IEEE INFOCOM, 1993.
G. M. Ljung and G. E. P. Box. On a measure of lack of fit in time series models. In Biometrika 65, pages 297–303, 1978.
B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.
P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security, November 2002.
P. Ning and D. Xu. Learnign attack strategies from intrusion alerts. In Proceedings of 10th ACM Conference on Computer and Communications Security (CCS’03), October 2003.
P. Ning, D. Xu, C.G. Healey, and R. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04), San Diego, CA, February 2004.
Y. A. Nygate. Event correlation using rule and object based techniques. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1995
J. Pearl. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, Inc, 1988.
J. Pearl. Causality: Models, Reasoning, and Inference. Cambridge University Press, 2000.
P. A. Porras, M. W. Fong, and A. Valdes. A Mission-Impact-Based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
X. Qin and W. Lee. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.
X. Qin and W. Lee. Attack plan recognition and prediction using causal networks. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, AZ, December 2004.
X. Qin and W. Lee. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security, Sophia Antipolis, France, September 2004.
S.M. Ross. Introduction to Probability Models. Harcourt Academic Press, 7th edition, 2000.
P. Spirtes, C. Glymour, and R. Scheines. Causation, Prediction, and Search. Springer-Verlag NY, Inc., 1993.
W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, 1999.
A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Qin, X., Lee, W. (2007). Discovering Novel Attack Strategies from Infosec Alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security. Advances in Information Security, vol 31. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-47653-7_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-47653-7_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-26409-7
Online ISBN: 978-0-387-47653-7
eBook Packages: Computer ScienceComputer Science (R0)