An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

Sun, Jiaxuan; Gu, Lize; Chen, Kaiyuan

doi:10.3390/e22030324

Cited by 14 publications

(9 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A threshold can be set as a fixed value of the correlation coefficient, or calculated from the average value of the feature correlation (Hostiadi et al, 2019). The security event similarity approach can also take into account event attribute weights assigned depending on the attack class (Sun et al, 2020). In addition, similarity can be defined both between event attributes of the same type, and between attributes of different types (Kotenko et al, 2018a(Kotenko et al, , 2020.…”

Section: Rule-based Modelsmentioning

confidence: 99%

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

Kotenko

2023

Artif Intell Rev

View full text Add to dashboard Cite

Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.

show abstract

Section: Rule-based Modelsmentioning

confidence: 99%

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

Kotenko

2023

Artif Intell Rev

View full text Add to dashboard Cite

show abstract

“…In this method, an efficient alarm clustering method based on the time distance between alarms is proposed, which is helpful to preserve adjacent alarms in a cluster. To solve the problem of a large number of redundant alarms generated by IDS, Sun and Chen [1] proposed an alarm aggregation scheme based on the combination of conditional rough entropy and knowledge granularity. Based on this scheme, the weights of different attributes in the alarms were obtained, and the similarity values of the alarms were calculated within the sliding time window to aggregate the similar alarms to reduce redundant alarms.…”

Section: Literature Reviewmentioning

confidence: 99%

“…With the continuous development of computer network technology, people are more and more dependent on the convenience brought by the internet, but at the same time, the characteristics of the network, such as openness and complexity, also lead to the complexity and diversity of network security threats. In order to avoid the damage caused by network threats, many network security technologies are widely used, such as firewall, intrusion detection system (IDS), vulnerability scanning program and so on [1]. This study mainly focuses on the IDS, especially on how to improve the efficiency and performance of the IDS when dealing with network security events.…”

Section: Introductionmentioning

confidence: 99%

“…In the past studies, many scholars have used different technologies to deal with the problem of redundant alarms generated by the IDS [16]. These methods can be generally divided into clustering-based methods [17][18][19], attribute-similarity-based methods [1,20], expertsystem-based methods [21,22], genetic-algorithm-based methods [23,24], data-miningbased methods [25,26], etc.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Research on Alarm Reduction of Intrusion Detection System Based on Clustering and Whale Optimization Algorithm

Wang¹,

Gu²,

Tang³

2021

Applied Sciences

Self Cite

View full text Add to dashboard Cite

With the frequent occurrence of network security events, the intrusion detection system will generate alarm and log records when monitoring the network environment in which a large number of log and alarm records are redundant, which brings great burden to the server storage and security personnel. How to reduce the redundant alarm records in network intrusion detection has always been the focus of researchers. In this paper, we propose a method using the whale optimization algorithm to deal with massive redundant alarms. Based on the alarm hierarchical clustering, we integrate the whale optimization algorithm into the process of generating alarm hierarchical clustering and optimizing the cluster center and put forward two versions of local hierarchical clustering and global hierarchical clustering, respectively. To verify the feasibility of the algorithm, we conducted experiments on the UNSW-NB15 data set; compared with the previous alarm clustering algorithms, the alarm clustering algorithm based on the whale optimization algorithm can generate higher quality clustering in a shorter time. The results show that the proposed algorithm can effectively reduce redundant alarms and reduce the load of IDS and staff.

show abstract

“…It simply means that there is a series of relevant actions within a contiguous time proximity and worthy of being analyzed collectively. Many alert aggregation efforts exist and shed lights on various contextually meaningful attributes, e.g., [28]- [31]. Different from many existing works, finding A here is not meant to aggregate similar alerts into a meta-alert.…”

Section: Alert Streams and Aggregation Of Attack Actionsmentioning

confidence: 99%

Near Real-time Learning and Extraction of Attack Models from Intrusion Alerts

Yang,

Okutan,

Werner

et al. 2021

Preprint

View full text Add to dashboard Cite

Critical and sophisticated cyberattacks often take multitudes of reconnaissance, exploitations, and obfuscation techniques to penetrate through well protected enterprise networks. The discovery and detection of attacks, though needing continuous efforts, is no longer sufficient. Security Operation Center (SOC) analysts are overwhelmed by the significant volume of intrusion alerts without being able to extract actionable intelligence. Recognizing this challenge, this paper describes the advances and findings through deploying ASSERT to process intrusion alerts from OmniSOC in collaboration with the Center for Applied Cybersecurity Research (CACR) at Indiana University. ASSERT utilizes information theoretic unsupervised learning to extract and update 'attack models' in near real-time without expert knowledge. It consumes streaming intrusion alerts and generates a small number of statistical models for SOC analysts to comprehend ongoing and emerging attacks in a timely manner. This paper presents the architecture and key processes of ASSERT and discusses a few real-world attack models to highlight the use-cases that benefit SOC operations. The research team is developing a light-weight containerized ASSERT that will be shared through a public repository to help the community combat the overwhelming intrusion alerts.

show abstract

An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity

Cited by 14 publications

References 44 publications

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Research on Alarm Reduction of Intrusion Detection System Based on Clustering and Whale Optimization Algorithm

Near Real-time Learning and Extraction of Attack Models from Intrusion Alerts

Contact Info

Product

Resources

About