A New Alert Correlation Algorithm Based on Attack Graph
Intrusion Detection Systems (IDS) are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grows, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyze alerts and to decrease false positives. Knowledge about the target system or environment is usually necessary for efficient alert correlation. For representing the environment information as well as potential exploits, the existing vulnerabilities and their Attack Graph (AG) is used. It is useful for networks to generate an AG and to organize certain vulnerabilities in a reasonable way. In this paper, we design a correlation algorithm based on AGs that is capable of detecting multiple attack scenarios for forensic analysis. It can be parameterized to adjust the robustness and accuracy. A formal model of the algorithm is presented and an implementation is tested to analyze the different parameters on a real set of alerts from a local network.
KeywordsCorrelation Attack Graph IDS
Unable to display preview. Download preview PDF.
- 1.Northcutt, S., Novak, J.: Network Intrusion Detection: An Analyst’s Handbook. New Riders Publishing, Thousand Oaks (2002)Google Scholar
- 3.Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of 14th USENIX Security Symposium, p. 8. USENIX Association, Baltimore (2005)Google Scholar
- 8.Sadoddin, R., Ghorbani, A.: Alert Correlation Survey: Framework and Techniques. In: Proceedings of the International Conference on Privacy, Security and Trust (PST 2006), pp. 1–10. ACM Press, Markham (2006)Google Scholar
- 9.Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format, Internet Draft. Technical Report, IETF Intrusion Detection Exchange Format Working Group (July 2004)Google Scholar
- 10.Mitre Corporation: Common vulnerabilities and exposures CVE Website, http://cve.mitre.org/ (accessed March 2009)
- 16.Qin, X.: A Probabilistic-Based Framework for INFOSEC Alert Correlation, PhD thesis, Georgia Institute of Technology (2005)Google Scholar
- 21.Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation method. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2004). The Internet Society, San Diego (2004)Google Scholar
- 23.Snort IDS: WEBSITE, http://www.snort.org/ (accessed November 2009)