Security Alert Correlation Using Growing Neural Gas

  • Francisco José Mora-Gimeno
  • Francisco Maciá-Pérez
  • Iren Lorenzo-Fonseca
  • Juan Antonio Gil-Martínez-Abarca
  • Diego Marcos-Jorquera
  • Virgilio Gilart-Iglesias
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6694)


The use of alert correlation methods in Distributed Intrusion Detection Systems (DIDS) has become an important process to address some of the current problems in this area. However, the efficiency obtained is far from optimal results. This paper presents a novel approach based on the integration of multiple correlation methods by using the neural network Growing Neural Gas (GNG). Moreover, since correlation systems have different detection capabilities, we have modified the learning algorithm to positively weight the best performing systems. The results show the validity of the proposal, both the multiple integration approach using GNG neural network and the weighting based on efficiency.


Alert correlation Neural networks Intrusion detection Growing neural gas 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ren, H., Stakhanova, N., Ghorbani, A.: An Online Adaptive Approach to Alert Correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153–172. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Qin, X., Lee, W.: Discovering Novel Attack Strategies from INFOSEC Alerts. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 439–456. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attacks Scenarios Through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM Press, New York (2002)Google Scholar
  5. 5.
    Fritzke, B.: A growing neural gas network learns topologies. In: Advances in Neural Information Processing Systems, vol. 7. MIT Press, Cambridge (1995)Google Scholar
  6. 6.
    Abdel-Azim, M., Abdel-Fatah, A., Awad, M.: Performance Analys of Artificial Neural Network Intrusion Detection Systems. In: Proceedings of International Conference on Electrical and Electronics Engineering, Bursa, Turkey, pp. 385–389 (2009)Google Scholar
  7. 7.
    Lorenzo-Fonseca, I., Maciá-Pérez, F., Mora-Gimeno, F.J., Lau-Fernández, R., Gil-Martínez-Abarca, J.A., Marcos-Jorquera, D.: Intrusion Detection Method Using Neural Networks Based on the Reduction of Characteristics. In: Cabestany, J., Sandoval, F., Prieto, A., Corchado, J.M. (eds.) IWANN 2009. LNCS, vol. 5517, pp. 1296–1303. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Shun, J., Malki, H.A.: Network Intrusion Detection System Using Neural Networks. In: Proceedings of International Conference on Natural Computation, Jinan, China, pp. 242–249 (2008)Google Scholar
  9. 9.
    Liu, G., Wang, X.: An Integrated Intrusion Detection System by Using Multiple Neural Networks. In: Proceedings of IEEE Conference on Cybernetics and Intelligent Systems, Chengdu, China, pp. 22–27 (2008)Google Scholar
  10. 10.
    Tenfl, P., Payer, U., Fellner, R.: Event Correlation on the Basis of Activation Patterns. In: Proceedings of International Conference on Parallel, Distributed, and Network-Based Processing, Pisa, Italy, pp. 631–640 (2010)Google Scholar
  11. 11.
    Morin, B., Me, L., Debar, H., Ducasse, M.: A Logic-Based Model to Support Alert Correlation in Intrusion Detection. Information Fusion 10(4), 285–299 (2009)CrossRefGoogle Scholar
  12. 12.
    Zhou, J., Hechman, M., Reynolds, B., Carlson, A., Bishop, M.: Modeling Network Intrusion Detection Alerts for Correlation. ACM Transactions on Information and System Security 10(1), 1–31 (2007)CrossRefGoogle Scholar
  13. 13.
    Gu, T., Xiao, D., Liu, X., Xia, X.: Multilevel Event Correlation Based on Collaboration and Temporal Causal Correlation. In: Proceedings of International Conference on Wireless Communications, Networking and Mobile Computint, Beijing, China, pp. 1–4 (2009)Google Scholar
  14. 14.
    Ning, P., Xu, D., Healey, C.G., Amant, R.: Building Attacks Scenarios Through Integration of Complementary Alert Correlation Method. In: Proceedings of Network and Distributed System Security Symposium, San Diego, USA, pp. 69–84 (2004)Google Scholar
  15. 15.
    Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B.: Measuring Intrusion Detection Capability: An Information_Theoretic Approack. In: Proceedings of ACM Symposium on Information, Computer and Communications Security. ACM Press, New York (2006)Google Scholar
  16. 16.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765. IETF Trust (2007)Google Scholar
  17. 17.
    Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    MIT Lincoln Laboratory: DARPA Intrusion Detection Evaluation,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Francisco José Mora-Gimeno
    • 1
  • Francisco Maciá-Pérez
    • 1
  • Iren Lorenzo-Fonseca
    • 1
  • Juan Antonio Gil-Martínez-Abarca
    • 1
  • Diego Marcos-Jorquera
    • 1
  • Virgilio Gilart-Iglesias
    • 1
  1. 1.Department of Computer TechnologyUniversity of AlicanteAlicanteSpain

Personalised recommendations