Analyzing Intensive Intrusion Alerts via Correlation

  • Peng Ning
  • Yun Cui
  • Douglas S. Reeves
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2516)


Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Several complementary alert correlation methods have been proposed to address this problem. As one of these methods, we have developed a framework to correlate intrusion alerts using prerequisites of intrusions. In this paper, we continue this work to study the feasibility of this method in analyzing real-world, intensive intrusions. In particular, we develop three utilities (called adjustable graph reduction, focused analysis, and graph decomposition) to facilitate the analysis of large sets of correlated alerts. We study the effectiveness of the alert correlation method and these utilities through a case study with the network traffic captured at the DEF CON 8 Capture the Flag (CTF) event. Our results show that these utilities can simplify the analysis of large amounts of alerts, and also reveals several attack strategies that were repeatedly used in the DEF CON 8 CTF event.


Intrusion Detection Alert Correlation Attack Scenario Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Javits, H., Valdes, A.: The NIDES statistical component: Description and justification. Technical report, SRI International, Computer Science Laboratory (1993)Google Scholar
  2. 2.
    Vigna, G., Kemmerer, R.A.: NetSTAT: A network-based intrusion detection system. Journal of Computer Security 7 (1999) 37–71Google Scholar
  3. 3.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). (2001) 54–68Google Scholar
  4. 4.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Recent Advances in Intrusion Detection. LNCS 2212 (2001) 85–103CrossRefGoogle Scholar
  5. 5.
    Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. (2001) 1–13Google Scholar
  6. 6.
    Ning, P., Reeves, D.S., Cui, Y.: Correlating alerts using prerequisites of intrusions. Technical Report TR-2001-13, North Carolina State University, Department of Computer Science (2001)Google Scholar
  7. 7.
    Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Technical Report TR-2002-01, North Carolina State University, Department of Computer Science (2002)Google Scholar
  8. 8.
    MIT Lincoln Lab: 2000 DARPA intrusion detection scenario specific datasets. (2000)
  9. 9.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34 (2000) 571–577CrossRefGoogle Scholar
  10. 10.
    DEFCON: Def con capture the flag (CTF) contest. (2000) Archive accessible at
  11. 11.
    Bace, R.: Intrusion Detection. Macmillan Technology Publishing (2000)Google Scholar
  12. 12.
    Staniford, S., Hoagland, J., McAlerney, J.: Practical automated detection of stealthy portscans. To appear in Journal of Computer Security (2002)Google Scholar
  13. 13.
    Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, ACM Press (2000) 31–38Google Scholar
  14. 14.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. (2002)Google Scholar
  15. 15.
    Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS-a graph based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference. Volume 1.(1996) 361–370Google Scholar
  16. 16.
    Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering 21 (1995) 181–199CrossRefGoogle Scholar
  17. 17.
    Cuppens, F., Ortalo, R.: Lambda: A language to model a database for detection of attacks. In: Proc. of Recent Advances in Intrusion Detection (RAID 2000). (2000) 197–216Google Scholar
  18. 18.
    Lin, J., Wang, X.S., Jajodia, S.: Abstraction-based misuse detection: High-level specifications and adaptable strategies. In: Proceedings of the 1 1th Computer Security Foundations Workshop, Rockport, MA (1998) 190–201Google Scholar
  19. 19.
    Ning, P., Jajodia, S., Wang, X.S.: Abstraction-based intrusion detection in distributed environments. ACM Transactions on Information and System Security 4 (2001) 407–452CrossRefGoogle Scholar
  20. 20.
    Gruschke, B.: Integrated event management: Event correlation using dependency graphs. In: Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management. (1998)Google Scholar
  21. 21.
    Ricciulli, L., Shacham, N.: Modeling correlated alarms in network management systems. In: In Western Simulation Multiconference. (1997)Google Scholar
  22. 22.
    Gardner, R., Harle, D.: Pattern discovery and specification translation for alarm correlation. In: Proceedings of Network Operations and Management Symposium (NOMS’98). (1998) 713–722Google Scholar
  23. 23.
    ISS, Inc.: RealSecure intrusion detection system. (
  24. 24.
    AT & T Research Labs: Graphviz-open source graph layout and drawing software. (

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Peng Ning
    • 1
  • Yun Cui
    • 1
  • Douglas S. Reeves
    • 1
  1. 1.Department of Computer ScienceNorth Carolina State UniversityRaleigh

Personalised recommendations