An Approach of Discovering Causal Knowledge for Alert Correlating Based on Data Mining

Feng, Xiang; Wang, Dongxia; Huang, Minhuan; Sun, Xiaodong

doi:10.1109/dasc.2014.19

Cited by 10 publications

(9 citation statements)

References 10 publications

(9 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The knowledge of logic relation, reasoning method, and probability calculation is included in the state transition of directed graph. Attack graph model [5,101,112,128,129], Bayesian model [11,62,114,132], Markov model [53,109,162], and so on all adopt this method. The solution method mainly includes two steps: reachability analysis and quantitative calculation analysis.…”

Section: Classification Of Solution Analysis Methodsmentioning

confidence: 99%

“…The definition of the model is generally combined with other disciplines, such as Petri network [96,[153][154][155], game theory [108,124,[159][160][161][162], and Bayesian network [114,132], and some articles also focus on the improvement of model description ability [125,126]; the solution algorithm depends on the definition of the model, and it is generally shown together with the solution result. There are lots of literature [109][110][111][112][113][114] trying to improve on this point, such as the reachable path analysis based on attack graph [101,128,129,143,177], defense strategy analysis [111,124,161], and survivability analysis [126].…”

Section: Status Of Domestic Researchmentioning

confidence: 99%

“…According to the statistics and analysis of the existing literature, the quantification of the 3 elements (attack severity, attack occurrence/ success probability, and attack income) has basically formed a certain standard [102,[122][123][124]. On the basis of index system and index quantification, risk assessment algorithm can be developed to get the perception or evaluation result [109,[115][116][117].…”

Section: Status Of Domestic Researchmentioning

confidence: 99%

“…The intention of applying the Markov model to the cybersecurity situational awareness is to predict the attack and defense evolution effectively when the initial conditions are met, but there will be a large number of camouflage attacks or covert attacks during the attack. Forcing the application with inefficiency will lead to the extreme result of statistics (overexaggerating the impact of a certain accident or neglecting the impact of a key step), so Markov is generally combined with other models [53,109,162]. To obtain causal knowledge through Markov's method, and to simplify the operation process by one-step transition probability matrix, the model can be performed efficiently under large-scale networks.…”

Section: Stochastic Modelmentioning

confidence: 99%

See 3 more Smart Citations

Analysis framework of network security situational awareness and comparison of implementation methods

Huang

Wang

et al. 2019

J Wireless Com Network

View full text Add to dashboard Cite

Information technology has penetrated into all aspects of politics, economy, and culture of the whole society. The information revolution has changed the way of communication all over the world, promoted the giant development of human society, and also drawn unprecedented attention to network security issues. Studies, focusing on network security, have experienced four main stages: idealized design for ensuring security, auxiliary examination and passive defense, active analysis and strategy formulation, and overall perception and trend prediction. Under the background of the new strategic command for the digital control that all countries are scrambled for, the discussion of network security situational awareness presents new characteristics both in the academic study and industrialization. In this regard, a thorough investigation has been made in the present paper into the literature of network security situational awareness. Firstly, the research status both at home and abroad is introduced, and then, the logical analysis framework is put forward concerning the network security situational awareness from the perspective of the data value chain. The whole process is composed of five successive stages: factor acquisition, model representation, measurement establishment, solution analysis, and situation prediction. Subsequently, the role of each stage and the mainstream methods are elaborated, and the application results on the experimental objects and the horizontal comparison between the methods are explained. In an attempt to provide a panoramic recognition of network security situational awareness, and auxiliary ideas for the industrialization of network security, this paper aims to provide some references for the scientific research and engineering personnel in this field.

show abstract

Section: Classification Of Solution Analysis Methodsmentioning

confidence: 99%

Section: Status Of Domestic Researchmentioning

confidence: 99%

Section: Status Of Domestic Researchmentioning

confidence: 99%

Section: Stochastic Modelmentioning

confidence: 99%

See 2 more Smart Citations

Analysis framework of network security situational awareness and comparison of implementation methods

Huang

Wang

et al. 2019

J Wireless Com Network

View full text Add to dashboard Cite

show abstract

“…Considering that one attacker performs multiple attack steps to reach its goal, Xuewei et al [16] propose an approach to automatically identify the multistage attacks in intrusion alerts. First, alerts are clustered by related IP addresses using the method of connected components.…”

Section: Related Workmentioning

confidence: 99%

Intrusion Alert Correlation to Support Security Management

Kawakani¹,

Barbon²,

Miani³

et al. 2016

Anais Do Simpósio Brasileiro De Sistemas De Informação (SBSI)

View full text Add to dashboard Cite

To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most typical strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real data set from the University of Maryland. The results show that the proposed approach can provide useful information for security administrators and may reduce the time between a security event and the response.

show abstract