Intrusion Alert Correlation to Support Security Management

Kawakani, Cláudio Toshio; Barbon, Sylvio; Miani, Rodrigo Sanches; Cukier, Michel; Zarpelão, Bruno Bogaz

doi:10.5753/sbsi.2016.5977

Cited by 7 publications

(9 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Instead of relying on simple analysis techniques such as with Prelude-Correlator more sophisticated approaches as proposed in [25] are aimed to be integrated in the near future. Multiple techniques applied alongside in a hybrid fashion could improve the incident analysis capabilities.…”

Section: Discussionmentioning

confidence: 99%

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Heigl

Doerr

Almaini

et al. 2018

2018 International Conference on Applied Electronics (AE)

View full text Add to dashboard Cite

The protection of internetworked systems by cryptographic techniques have crystallized as a fundamental aspect in establishing secure systems. Complementary, detection mechanisms for instance based on Intrusion Detection Systems has established itself as a fundamental part in holistic security ecosystems in the previous years. However, the interpretation of and reaction on detected incidents is still a challenging task. In this paper an incident handling environment with relevant components and exemplary functionality is proposed that involves the processes from the detection of incidents over their analysis to the execution of appropriate reactions. An evaluation of a selection of implemented interacting components using technology such as OpenFlow or Snort generally proofs the concept.

show abstract

Section: Discussionmentioning

confidence: 99%

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Heigl

Doerr

Almaini

et al. 2018

2018 International Conference on Applied Electronics (AE)

View full text Add to dashboard Cite

show abstract

“…For some IDS introduced problems, a few methods were proposed in our previous work [16,17], the redundant alerts, for example, can be reduced in the action extraction phase, and a few repeated action patterns can be removed in the session pruning phase by the pruning algorithm. In this paper, we mainly focus on the incomplete and disordered session (sequence) learning and attack pattern discovery in real-time.…”

Section: Methodsmentioning

confidence: 99%

Online Mining Intrusion Patterns from IDS Alerts

Zhang

Yang

et al. 2020

Applied Sciences

View full text Add to dashboard Cite

The intrusion detection system (IDS) which is used widely in enterprises, has produced a large number of logs named alerts, from which the intrusion patterns can be mined. These patterns can be used to construct the intrusion scenarios or discover the final objectives of the malicious actors, and even assist the forensic works of network crimes. In this paper, a novel algorithm for the intrusion pattern mining is proposed which aimsto solve the difficult problems of the intrusion action sequence such as the loss of important intrusion actions, the disorder of the action sequence and the random noise actions. These common problems often occur in the real production environment which cause serious performance decrease in the analyzing system. The proposed algorithm is based on the online analysis of the intrusion action sequences extracted from IDS alerts, through calculating the influences of a particular action on the subsequent actions, the real intrusion patterns are discovered. The experimental results show that the method is effective in discovering pattern from the complex intrusion action sequences.

show abstract

“…where CR represents the correlation ratio, NPA represents the number of alarms correctly participating in the association, and TNA represents the total number of alarms. This paper selects two different alarm correlation analysis methods proposed in literature [40] and literature [41] to compare with the method proposed in this paper. Among them, literature [40] and literature [41] use a single alarm correlation method.…”

Section: Correlation Efficiency Analysismentioning

confidence: 99%

“…This paper selects two different alarm correlation analysis methods proposed in literature [40] and literature [41] to compare with the method proposed in this paper. Among them, literature [40] and literature [41] use a single alarm correlation method. It can be seen from Table 3 that our multitype mixed alarm correlation method is the method with the best correlation effect, and the correlation ratio reaches 96.7%, which is higher than the single correlation method.…”

Section: Correlation Efficiency Analysismentioning

confidence: 99%

A Hybrid Alarm Association Method Based on AP Clustering and Causality

Tao

Shi

Zhao

et al. 2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Internet of Things (IoT) brought great convenience to people’s daily lives. Meanwhile, the IoT devices are facing severe attacks from hackers and malicious attackers. Hackers and malicious attackers use various methods to invade the Internet of Things system, causing the Internet of Things to face a large number of targeted, concealed, and penetrating potential threats, which makes the privacy problem of the Internet of Things suffers serious challenges. But the existing methods and technologies cannot fully identify the attacker’s attack process and protect the privacy of the Internet of Things. Alarm correlation method can construct a complete attack scenario and identify the attacker’s intention by alarming the alarm data which provides an effective protection for user privacy. However, the existing alarm correlation methods still have the disadvantages of low correlation accuracy, poor correlation efficiency, and strong dependence on the knowledge base. To address these issues, we propose an alarm correlation method based on Affinity Propagation (AP) clustering algorithm and causal relationship. Our method considers that the alarm data triggered by the same attack process has high similarity characteristics, adopts the AP algorithm to improve the correlation efficiency, and at the same time constructs a complete attack process based on the causal correlation idea. The new alarm correlation method has a high correlation effect and builds a complete attack process to help managers identify attack intentions and prevent attacks.

show abstract

Intrusion Alert Correlation to Support Security Management

Cited by 7 publications

References 12 publications

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Online Mining Intrusion Patterns from IDS Alerts

A Hybrid Alarm Association Method Based on AP Clustering and Causality

Contact Info

Product

Resources

About