Abstract
The task of separating genuine attacks from false alarms in large intrusion detection infrastructures is extremely difficult. The number of alarms received in such environments can easily enter into the millions of alerts per day. The overwhelming noise created by these alarms can cause genuine attacks to go unnoticed. As means of highlighting these attacks, we introduce a host ranking technique utilizing Alarm Graphs. Rather than enumerate all potential attack paths as in Attack Graphs, we build and analyze graphs based on the alarms generated by the intrusion detection sensors installed on a network. Given that the alarms are predominantly false positives, the challenge is to identify, separate, and ideally predict future attacks. In this paper, we propose a novel approach to tackle this problem based on the PageRank algorithm. By elevating the rank of known attackers and victims we are able to observe the effect that these hosts have on the other nodes in the Alarm Graph. Using this information we are able to discover previously overlooked attacks, as well as defend against future intrusions.
Keywords
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, Graph-Based Network Vulnerability Analysis. In: Proceedings of the 9th ACM Conference On Computer and Communications Security, pp. 217–224. ACM Press, New York (2002)
Artz, M.: NETSpa: A Network Security Planning Architecture. Master’s Thesis. Massachusetts Institute of Technology. (2002)
Brin, S., Page, L.: The Anatomy of a Large-Scale Hypertextual Web Search Engine. Computer Networks 30(1-7), 107–117 (1998)
Chakrabarti, S., Dom, B., Gibsony, D., Kleinberg, J., Kumar, R., Raghavan, P., Rajagopalan, S., Tomkins, A.: Mining the Link Structure of the World Wide Web. IEEE Computer 32(8) (1999)
Cuppens, F., Ortalo, R.: LAMBDA A Language to Model a Database for Detection of Attacks. In: Proceedings of the 3rd Annual International Symposium On Recent Advances in Intrusion Detection, Berlin, Germany (2000)
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2002)
Fayyad, U., Piatetsky-Shapiro, G., Smyth, P.: The KDD Process for Extracting Useful Knowledge From Volumes of Data. In: Communications of the ACM, pp. 27–34. ACM Press, New York (1996)
Grimmet, G., Stirzaker, D.: Probability and Random Processes. Clarendon Press, Oxford (1992)
GraphViz., http://www.graphviz.org
Honig, A., Howard, A., Eskin, E., Stolfo, S.: Adaptive Model Generation: An Architecture for the Deployment of Data Mining-based Intrusion Detection Systems. In: Barbara, D., Sushil, J. (eds.) Applications of Data Mining in Computer Security, pp. 153–194. Kluwer Academic Publishers, Boston (2002)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical Attack Generation for Network Defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, Miami Beach, FL (2006)
Jajodia, S., Noel, S., O’Berry, B.: Topological Analysis of Network Attack Vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges, Kluwer Academic Publisher, Dodrecht, Netherlands (2003)
Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 366–375. ACM Press, New York (2002)
Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)
Lee, W., Stolfo, S.: Data Mining Approaches for Intrusion Detection. In: Proceedings of the 7th USENIX Security Symposium, pp. 79–94 (1998)
Lee, W., Stolfo, S., Chan, P., Eskin, E., Fan, W., Miller, M., Hershkop, S., Zhang, J.: Real Time Data Mining-based Intrusion Detection. In: Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (2001)
Lippmann, R., Ingols, K.: An Annotated Review of Past papers on Attack Graphs. MIT Lincoln Laboratory Technical Report (ESC-TR-2005-054) (2005)
Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: The 8th Annual Conference on Information Security and Cryptology, Seoul, Korea, pp. 186–198 (2005)
Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking Attack Graphs. In: Proceedings of the 9th Annual International Symposium On Recent Advances in Intrusion Detection, Hamburg, Germany, pp. 127–144 (2006)
Moore, A., Ellison, R., Linger, R.: Attack Modeling for Information Security and Survivability. In: Software Engineering Institute, Technical Note CMU/SEI-2001-TN-01 (2001)
Ning, P., Cui, Y., Reeves, D.: Constructing Attack Scenarios Through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM Press, New York (2002)
Ning, P., Xu, D.: Learning Attack Strategies From Intrusion Alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 200–209. ACM Press, New York (2003)
Ning, P., Cui, Y., Reeves, D., Xu, D.: Techniques and Tools for Analyzing Intrusion Alerts. ACM Transaction on Information and System Security 7(2), 274–318 (2004)
Noel, S., Wijesekera, D., Youman, C.: Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In: Barbara, D., Sushil, J. (eds.) Applications of Data Mining in Computer Security, pp. 1–31. Kluwer Academic Publishers, Boston (2002)
Noel, S., Jajodia, S.: Managing Attack Graph Complexity Through Visual Hierarchical Aggregation. In: IEEE Workshop on Visualization for Computer Security, IEEE Computer Society Press, Los Alamitos (2004)
Noel, S., Robertson, E., Jajodia, S.: Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances. In: Proceedings of the 20th Annual Computer Security Applications Conference (2004)
Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank Citation Ranking: Bringing Order to the Web (1999), http://dbpubs.stanford.edu/pub/1999-66
Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Proceedings of the 7th Annual International Symposium On Recent Advances in Intrusion Detection, Sophia Antipolis, France, pp. 102–124 (2004)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated Generation and Analysis of Attack Graphs. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2002)
Templeton, S., Levitt, K.: A Requires/Provides Model for Computer Attacks. In: Proceedings of New Security Paradigms Workshop, pp. 30–38 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Treinen, J.J., Thurimella, R. (2007). Application of the PageRank Algorithm to Alarm Graphs. In: Qing, S., Imai, H., Wang, G. (eds) Information and Communications Security. ICICS 2007. Lecture Notes in Computer Science, vol 4861. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77048-0_37
Download citation
DOI: https://doi.org/10.1007/978-3-540-77048-0_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77047-3
Online ISBN: 978-3-540-77048-0
eBook Packages: Computer ScienceComputer Science (R0)