Advertisement

Alert Correlation Algorithms: A Survey and Taxonomy

  • Seyed Ali Mirheidari
  • Sajjad Arshad
  • Rasool Jalili
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8300)

Abstract

Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

Keywords

Network Security Intrusion Detection System Alert Alert Correlation Attack Scenario Similarity-based Knowledge-based Statistical-based 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the Problem of IDS False Alarms: An Experimental Study Using Snort. In: Proceedings of the IFIP TC 11 23rd International Information Security Conference, pp. 253–267 (2008)Google Scholar
  2. 2.
    Pouget, F., Dacier, M.: Alert Correlation: Review of the state of the art. EURECOM, Technical Report (2003)Google Scholar
  3. 3.
    Sadoddin, R., Ghorbani, A.: Alert correlation survey: Framework and techniques. In: Proceedings of ACM International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (2006)Google Scholar
  4. 4.
    Al-Mamory, S.O., Zhang, H.: A survey on IDS alerts processing techniques. In: Proceeding of the 6th WSEAS International Conference on Information Security and Privacy (ISP), pp. 69–78 (2007)Google Scholar
  5. 5.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefzbMATHGoogle Scholar
  7. 7.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC (2001)Google Scholar
  8. 8.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 146–169 (2004)Google Scholar
  9. 9.
    Elshoush, H.T., Osman, I.M.: Intrusion Alert Correlation Framework: An Innovative Approach. In: IAENG Transactions on Engineering Technologies, pp. 405–420 (2013)Google Scholar
  10. 10.
    Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceedings of 17th Annual Computer Security Applications Conference (ACSAC), pp. 12–21 (2001)Google Scholar
  11. 11.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Journal Name 2(3), 111–138 (2002)Google Scholar
  12. 12.
    Al-Mamory, S.O., Zhang, H.: IDS alerts correlation using grammar-based approach. Journal of Computer Virology 5(4), 271–282 (2009)CrossRefGoogle Scholar
  13. 13.
    Dain, O.M., Cunningham, R.K.: Building scenarios from a heterogeneous alert stream. In: Proceedings of IEEE Workshop on Information Assurance and Security (2001)Google Scholar
  14. 14.
    Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
  15. 15.
    Smith, R., Japkowicz, N., Dondo, M., Mason, P.: Using unsupervised learning for network alert correlation. In: Advances in Artificial Intelligence, pp. 308–319 (2008)Google Scholar
  16. 16.
    Smith, R., Japkowicz, N., Dondo, M.: Clustering using an autoassociator: A case study in network event correlation. In: Proceedings of the 17th IASTED International Conference on Parallel and Distributed Computing and Systems (2008)Google Scholar
  17. 17.
    Pietraszek, T., Tanner, A.: Data mining and machine learning towards reducing false positives in intrusion detection. Information Security 10(3), 169–183 (2005)Google Scholar
  18. 18.
    Pietraszek, T.: Using adaptive alert classification to reduce false positives in intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the Workshop on New Security Paradigms, pp. 31–38 (2001)Google Scholar
  20. 20.
    Ning, P., Cui, Y.: An intrusion alert correlator based on pre-requisites of intrusions (2002)Google Scholar
  21. 21.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM on Computer and Communications Security, pp. 245–254 (2002)Google Scholar
  22. 22.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC) 7(2), 274–318 (2004)CrossRefGoogle Scholar
  23. 23.
    Cuppens, F., Autrel, F., Miege, A., Benferhat, S.: Correlation in an intrusion detection process. In: Proceedings SEcurite des Communications sur Internet (SECI), pp. 153–171 (2002)Google Scholar
  24. 24.
    Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 200–209 (2003)Google Scholar
  25. 25.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  26. 26.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Towards automating intrusion alert analysis. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2003)Google Scholar
  27. 27.
    Ning, P., Xu, D.: Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 7(4), 591–627 (2004)CrossRefGoogle Scholar
  28. 28.
    Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium, NDSS (2004)Google Scholar
  29. 29.
    Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about complementary intrusion evidence. In: 20th Annual IEEE Computer Security Applications Conference (ACSAC), pp. 39–48 (2004)Google Scholar
  30. 30.
    Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: De Capitani di Vimercati, S.,Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 247–266. Springer, Heidelberg (2005)Google Scholar
  31. 31.
    Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006)CrossRefGoogle Scholar
  32. 32.
    Zali, Z., Hashemi, M.R., Saidi, H.: Real-Time Intrusion Detection Alert Correlation and Attack Scenario Extraction Based on the Prerequisite-Consequence Approach. The ISC International Journal of Information Security 4(2) (2013)Google Scholar
  33. 33.
    Cheung, S., Lindqvist, U., Fong, M.W.: Modelling multistep cyber-attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition, pp. 284–292 (2003)Google Scholar
  34. 34.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10(1/2), 71–104 (2002)CrossRefGoogle Scholar
  35. 35.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  36. 36.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  37. 37.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: A logic-based model to support alert correlation in intrusion detection. Information Fusion 10(4), 285–299 (2009)CrossRefGoogle Scholar
  38. 38.
    Al-Mamory, S.O., Zhang, H.: Intrusion detection alarms reduction using root cause Analysis and clustering. Computer Communications 32(2), 419–430 (2009)CrossRefGoogle Scholar
  39. 39.
    Kabiri, P., Ghorbani, A.A.: A rule-based temporal alert correlation system. International Journal of Network Security 5(1), 66–72 (2007)Google Scholar
  40. 40.
    Viinikka, J., Debar, H.: Monitoring IDS background noise using EWMA control charts and alert information. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 166–187. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  41. 41.
    Viinikka, J., Debar, H., Mé, L., Séguier, R.: Time series modelling for IDS alert management. In: Proceedings of Information, Computer and Communications Security, pp. 102–113 (2006)Google Scholar
  42. 42.
    Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modelling. Information Fusion 10(4), 312–324 (2009)CrossRefGoogle Scholar
  43. 43.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining Analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  44. 44.
    Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  45. 45.
    Ren, H., Stakhanova, N., Ghorbani, A.A.: An online adaptive approach to alert correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153–172. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  46. 46.
    Lee, W., Qin, X.: Statistical causality Analysis of INFOSEC alert data. In: Managing Cyber Threats, pp. 101–127 (2003)Google Scholar
  47. 47.
    Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference (ACSAC), pp. 370–379 (2004)Google Scholar
  48. 48.
    Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security, pp. 109–157 (2007)Google Scholar
  49. 49.
    Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection systems. In: DARPA Information Survivability Conference and Exposition, pp. 46–55 (2001)Google Scholar
  50. 50.
    Dorigo, M., Maniezzo, V., Colorni, A.: Ant system: Optimization by a colony of cooperating agents. IEEE Transactions on Systems, Man, and Cybernetics 26(1), 29–41 (1996)CrossRefGoogle Scholar
  51. 51.
    Ourston, D., Matzner, S., Stump, W., Hopkins, B.: Applications of hidden markov models to detecting multi-stage network attacks. In: Proceedings of the 36th Annual IEEE Hawaii International Conference on System Sciences (2003)Google Scholar
  52. 52.
    Gu, G., Cardenas, A.A., Lee, W.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 136–147 (2008)Google Scholar
  53. 53.
    Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: Annual Meeting of the North American on Fuzzy Information Processing Society, pp. 748–753 (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Seyed Ali Mirheidari
    • 1
    • 2
  • Sajjad Arshad
    • 2
  • Rasool Jalili
    • 2
    • 3
  1. 1.Computer Engineering DepartmentSharif University of Technology, International CampusIran
  2. 2.Data and Network Security Laboratory (DNSL)Sharif University of TechnologyIran
  3. 3.Computer Engineering DepartmentSharif University of TechnologyIran

Personalised recommendations