Alert correlation analysis based on attack path graph

Zhang, Daojuan; Qian, Kexiang; Zhang, Peng; Shu, Mei; Wu, Hongbin

doi:10.1109/ei2.2017.8245631

Cited by 3 publications

(3 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In recent years, network security event aggregation and correlation analysis that are based on the research on the correlation algorithm have gradually become hot spots in the field of network security, and some meaningful results have been produced. Researchers have done a lot of work on the correlation of events and have proposed methods, such as alert correlation based on a sequence [ 15 , 16 , 17 ], alert correlation based on known scenarios [ 18 ], and alert correlation based on attribute similarity [ 19 , 20 ].…”

Section: Literature Reviewmentioning

confidence: 99%

“…The framework changes a series of alerts into a set of alerts and then serializes them in the form of super alerts in the prediction of the next attack. In [ 18 ], early warnings are correlated based on a knowledge base and the related likelihood. An attack path construction algorithm is proposed for obtaining the attack path of the specified target IP, and an alert correlation graph is constructed to correlate the alerts to a specific range and then merge them based on the alert type.…”

Section: Literature Reviewmentioning

confidence: 99%

See 1 more Smart Citation

An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

Sun

Chen

2020

Entropy

View full text Add to dashboard Cite

With the emergence of network security issues, various security devices that generate a large number of logs and alerts are widely used. This paper proposes an alert aggregation scheme that is based on conditional rough entropy and knowledge granularity to solve the problem of repetitive and redundant alert information in network security devices. Firstly, we use conditional rough entropy and knowledge granularity to determine the attribute weights. This method can determine the different important attributes and their weights for different types of attacks. We can calculate the similarity value of two alerts by weighting based on the results of attribute weighting. Subsequently, the sliding time window method is used to aggregate the alerts whose similarity value is larger than a threshold, which is set to reduce the redundant alerts. Finally, the proposed scheme is applied to the CIC-IDS 2018 dataset and the DARPA 98 dataset. The experimental results show that this method can effectively reduce the redundant alerts and improve the efficiency of data processing, thus providing accurate and concise data for the next stage of alert fusion and analysis.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

Sun

Chen

2020

Entropy

View full text Add to dashboard Cite

show abstract

“…In terms of attack scenario restoration, Peng et al [22] proposed an alert correlation method based on the causality of attacks. Zhang et al [23] proposed a real-time alert correlation analysis method based on an attack plan graph, which improved the attack scenario.…”

Section: Related Workmentioning

confidence: 99%

Attack Analysis Framework for Cyber-Attack and Defense Test Platform

Jiang

Jia

et al. 2020

Electronics

View full text Add to dashboard Cite

In 2012, Google first proposed the knowledge graph and applied it in the field of intelligent searching. Subsequently, knowledge graphs have been used for in-depth association analysis in different fields. In recent years, composite attacks have been discovered through association analysis in the field of cyber security. This paper proposes an attack analysis framework for cyber-attack and defense test platforms, which stores prior knowledge in a cyber security knowledge graph and attack rule base as data that can be understood by a computer, sets the time interval of analysis on the Spark framework, and then mines attack chains from massive data with spatiotemporal constraints, so as to achieve the balance between automated analysis and real-time accurate performance. The experimental results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipment. With the rational expectation about more exposure of attacks and faster upgrade of security equipment, it is necessary and meaningful to constantly improve the cyber security knowledge graph in the attack analysis framework.

show abstract

Multilevel Intrusion Alert Post-processing for the Elimination of False Positives

Riyad¹

2021

IJRASET

View full text Add to dashboard Cite

Intrusion detection systems are the last line of defence in the network security domain. Improving the performance of intrusion detection systems always increase false positives. This is a serious problem in the field of intrusion detection. In order to overcome this issue to a great extend, we propose a multi level post processing of intrusion alerts eliminating false positives produced by various intrusion detection systems in the network. For this purpose, the alerts are normalized first. Then, a preliminary alert filtration phase prioritize the alerts and removes irrelevant alerts. The higher priority alerts are then aggregated to fewer numbers of hyper alerts. In the final phase, alert correlation is done and alert correlation graph is constructed for finding the causal relationship among the alerts which further eliminates false positives. Experiments were conducted on LLDOS 1.0 dataset for verifying the approach and measuring the accuracy. Keywords: Intrusion detection system, alert prioritization, alert aggregation, alert correlation, LLDOS 1.0 dataset, alert correlation graph.

show abstract

Alert correlation analysis based on attack path graph

Cited by 3 publications

References 24 publications

An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

Attack Analysis Framework for Cyber-Attack and Defense Test Platform

Multilevel Intrusion Alert Post-processing for the Elimination of False Positives

Contact Info

Product

Resources

About