Real-Time Alert Correlation with Type Graphs
- 1.5k Downloads
The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.
Unable to display preview. Download preview PDF.
- 2.Xu, D., Ning, P.: Alert Correlation through Triggering Events and Common Resources. In: Proc. 20th Annual Computer Security Applications Conference (2004)Google Scholar
- 3.Tedesco, G.: ATG correlator source code and documentation (2008), http://www.scaramanga.co.uk/atg/
- 4.Tedesco, G., Twycross, J., Aickelin, U.: Integrating innate and adaptive immunity for intrusion detection. In: Proc. International Conference on Artificial Immune Systems (2006)Google Scholar
- 5.Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer Attack Graph Generation Tool. In: Proc. DARPA Information Survivability Conference & Exposition II (2000)Google Scholar
- 6.Wang, L., Liu, A., Jajodia, S.: An Efficient, Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts. In: Proc. European Symposium on Computer Security (2005)Google Scholar
- 7.Ning, P., Xu, D.: Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. Technical Report TR-2002-14 NCSU Dept. of Computer Science (2002)Google Scholar
- 10.Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proc. 9th ACM Conference on Computer & Communications Security, pp. 245–254 (2002)Google Scholar
- 11.Ning, P., Xu, D., Healy, C.G., Amant, R.S.: Building Attack Scenarios through Integration of Complementary Alert Correlation Methods. In: Proc. 11th Annual Network and Distributed System Security Symposium, pp. 97–111 (2004)Google Scholar
- 12.Deraison, R.: Nessus automated vulenrability scanner (2008), http://www.nessus.org/
- 13.Templeton, S.J., Levitt, K.: Requires/Provides Model for Computer Attacks. In: Proc. Workshop on New Security Paradigms (2000)Google Scholar
- 14.Noel, S., Jajodia, S., O’Berry, B.: Topological Analysis of Network Vulnerability. In: Managing Cyber Threats: Issues Approaches and Challenges (2005)Google Scholar
- 15.Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about Complementary Intrusion Evidence. In: Proc. 20th Annual Computer Security Applications Conference (2004)Google Scholar