A New Alert Correlation Algorithm Based on Attack Graph

  • Sebastian Roschke
  • Feng Cheng
  • Christoph Meinel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6694)


Intrusion Detection Systems (IDS) are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grows, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyze alerts and to decrease false positives. Knowledge about the target system or environment is usually necessary for efficient alert correlation. For representing the environment information as well as potential exploits, the existing vulnerabilities and their Attack Graph (AG) is used. It is useful for networks to generate an AG and to organize certain vulnerabilities in a reasonable way. In this paper, we design a correlation algorithm based on AGs that is capable of detecting multiple attack scenarios for forensic analysis. It can be parameterized to adjust the robustness and accuracy. A formal model of the algorithm is presented and an implementation is tested to analyze the different parameters on a real set of alerts from a local network.


Correlation Attack Graph IDS 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Northcutt, S., Novak, J.: Network Intrusion Detection: An Analyst’s Handbook. New Riders Publishing, Thousand Oaks (2002)Google Scholar
  2. 2.
    Kruegel, C., Valuer, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions. AIS, vol. 14. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  3. 3.
    Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of 14th USENIX Security Symposium, p. 8. USENIX Association, Baltimore (2005)Google Scholar
  4. 4.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), pp. 109–118. ACM, Washington DC (2004)CrossRefGoogle Scholar
  5. 5.
    Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlation, hypothesizing, and predicting intrusion alerts. Journal of Computer Communications 29(15), 2917–2933 (2006)CrossRefGoogle Scholar
  6. 6.
    Roschke, S., Cheng, F., Meinel, C.: A Flexible and Efficient Alert Correlation Platform for Distributed IDS. In: Proceedings of the 4th International Conference on Network and System Security (NSS 2010), pp. 24–31. IEEE Press, Melbourne (2010)CrossRefGoogle Scholar
  7. 7.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 273–284. IEEE Press, Washington, DC (2002)CrossRefGoogle Scholar
  8. 8.
    Sadoddin, R., Ghorbani, A.: Alert Correlation Survey: Framework and Techniques. In: Proceedings of the International Conference on Privacy, Security and Trust (PST 2006), pp. 1–10. ACM Press, Markham (2006)Google Scholar
  9. 9.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format, Internet Draft. Technical Report, IETF Intrusion Detection Exchange Format Working Group (July 2004)Google Scholar
  10. 10.
    Mitre Corporation: Common vulnerabilities and exposures CVE Website, (accessed March 2009)
  11. 11.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)CrossRefGoogle Scholar
  13. 13.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Al-Mamory, S.O., Zhang, H.: IDS alerts correlation using grammar-based approach. Journal of Computer Virology 5(4), 271–282 (2009)CrossRefGoogle Scholar
  15. 15.
    Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 245–254. ACM Press, Washington, DC (2002)CrossRefGoogle Scholar
  16. 16.
    Qin, X.: A Probabilistic-Based Framework for INFOSEC Alert Correlation, PhD thesis, Georgia Institute of Technology (2005)Google Scholar
  17. 17.
    Qin, X.: Statistical causality analysis of INFOSEC alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Oliner, A.J., Kulkarni, A.V., Aiken, A.: Community epidemic detection using time-correlated anomalies. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 360–381. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of rtid alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  20. 20.
    Siraj, A., Vaughn, R.B.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation method. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2004). The Internet Society, San Diego (2004)Google Scholar
  22. 22.
    Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Snort IDS: WEBSITE, (accessed November 2009)
  24. 24.
    Floyd, R.: Algorithm 97 (SHORTEST PATH). Communications of the ACM 5(6), 345 (1962)CrossRefGoogle Scholar
  25. 25.
    Warshall, S.: A Theorem on Boolean Matrices. Journal of the ACM 9(1), 11–12 (1962)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sebastian Roschke
    • 1
  • Feng Cheng
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations