Real-Time Alert Correlation with Type Graphs

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5352)


The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bayer, R.: Symmetric Binary B-Tees: Data structure and maintenance algorithms. Acta Inf. 1, 290–306 (1972)CrossRefzbMATHGoogle Scholar
  2. 2.
    Xu, D., Ning, P.: Alert Correlation through Triggering Events and Common Resources. In: Proc. 20th Annual Computer Security Applications Conference (2004)Google Scholar
  3. 3.
    Tedesco, G.: ATG correlator source code and documentation (2008),
  4. 4.
    Tedesco, G., Twycross, J., Aickelin, U.: Integrating innate and adaptive immunity for intrusion detection. In: Proc. International Conference on Artificial Immune Systems (2006)Google Scholar
  5. 5.
    Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer Attack Graph Generation Tool. In: Proc. DARPA Information Survivability Conference & Exposition II (2000)Google Scholar
  6. 6.
    Wang, L., Liu, A., Jajodia, S.: An Efficient, Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts. In: Proc. European Symposium on Computer Security (2005)Google Scholar
  7. 7.
    Ning, P., Xu, D.: Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. Technical Report TR-2002-14 NCSU Dept. of Computer Science (2002)Google Scholar
  8. 8.
    Ning, P., Xu, D.: Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems. ACM Transactions on Information and System Security 7(4), 591–627 (2004)CrossRefGoogle Scholar
  9. 9.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proc. 9th ACM Conference on Computer & Communications Security, pp. 245–254 (2002)Google Scholar
  11. 11.
    Ning, P., Xu, D., Healy, C.G., Amant, R.S.: Building Attack Scenarios through Integration of Complementary Alert Correlation Methods. In: Proc. 11th Annual Network and Distributed System Security Symposium, pp. 97–111 (2004)Google Scholar
  12. 12.
    Deraison, R.: Nessus automated vulenrability scanner (2008),
  13. 13.
    Templeton, S.J., Levitt, K.: Requires/Provides Model for Computer Attacks. In: Proc. Workshop on New Security Paradigms (2000)Google Scholar
  14. 14.
    Noel, S., Jajodia, S., O’Berry, B.: Topological Analysis of Network Vulnerability. In: Managing Cyber Threats: Issues Approaches and Challenges (2005)Google Scholar
  15. 15.
    Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about Complementary Intrusion Evidence. In: Proc. 20th Annual Computer Security Applications Conference (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of NottinghamNottinghamUnited Kingdom

Personalised recommendations