Aggregation and Correlation of Intrusion-Detection Alerts

Debar, Hervé; Wespi, Andreas

doi:10.1007/3-540-45474-8_6

Cited by 451 publications

(242 citation statements)

References 1 publication

Supporting

Mentioning

233

Contrasting

Unclassified

Order By: Relevance

“…Formalization of security alerts allowed a whole new field of research to emerge, the security alert correlation [9]. The task of alert correlation is to put together corresponding alerts, find relations between alerts, and reconstruct the progress of an attack, but also to recognize the focus of an attacker and analyze the impact of potential security incidents.…”

Section: Related Workmentioning

confidence: 99%

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

Abstract-In this paper, we present an empirical evaluation of an approach to predict attacker's activities based on information exchange and data mining. We gathered the cyber security alerts shared within the SABU platform, in which around 220,000 alerts from heterogeneous geographically distributed sensors (intrusion detection systems and honeypots) are shared every day. Subsequently, we used the methods of sequential rule mining to identify common attack patterns and to derive rules for predicting attacks. As we illustrate in this paper, a collaborative environment allows attack prediction in multiple dimensions. First, we can predict what will the attacker do next and when. Second, we can predict where will the attack hit, e.g., when an attacker is targeting several networks at once. In a weeklong experiment, we processed in total over 1 million alerts, from which we mined predictive rules every day. Our findings show that most of the rules display stable values of support and confidence and, thus, can be used to predict cyber attacks in consecutive days after mining without a need to actualize the rules every day.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

show abstract

“…Most of the previous works [2], [3], [5], [6], [7] of alert clustering for finding structural correlation required strong dependencies on SE in developing and/or maintaining their correlation system. They either need pre-defined rules or human expert knowledge to manage and analyze the intrusion alerts.…”

Section: Related Workmentioning

confidence: 99%

“…Worse, those alerts are in low quality because they mixed with false positives, and repeated warnings for the same attack, or alert notifications from erroneous activity [2]. Therefore, manually analyze those alerts are tedious, time-consuming and error-prone [3].…”

Section: Introductionmentioning

confidence: 99%

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

Siraj¹,

Maarof²,

Hashim³

2009

IJCTE

View full text Add to dashboard Cite

“…In order to use IDS alerts as evidence, many have proposed aggregating redundant alerts and correlating them to determine multi-step, multi-stage attacks (Dain and Cunningham, 2001;Debar and Wespi, 2001;Wang and Thomas, 2008). While such aggregation can help in reconstructing a multi-stage, multi-step attack scenario, to the best of our knowledge, none of this work has been integrated with legal acceptability standards of evidence.…”

Section: Introductionmentioning

confidence: 99%

Relating Admissibility Standards for Digital Evidence to Attack Scenario Reconstruction

Liu¹,

Singhal²,

Wijesekera³

2014

JDFSL

View full text Add to dashboard Cite

Attackers tend to use complex techniques such as combining multi-step, multi-stage attack with anti-forensic tools to make it difficult to find incriminating evidence and reconstruct attack scenarios that can stand up to the expected level of evidence admissibility in a court of law. As a solution, we propose to integrate the legal aspects of evidence correlation into a Prolog based reasoner to address the admissibility requirements by creating most probable attack scenarios that satisfy admissibility standards for substantiating evidence. Using a prototype implementation, we show how evidence extracted by using forensic tools can be integrated with legal reasoning to reconstruct network attack scenarios. Our experiment shows this implemented reasoner can provide pre-estimate of admissibility on a digital crime towards an attacked network.

show abstract

Aggregation and Correlation of Intrusion-Detection Alerts

Cited by 451 publications

References 1 publication

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

Relating Admissibility Standards for Digital Evidence to Attack Scenario Reconstruction

Contact Info

Product

Resources

About