Intrusion alert prioritisation and attack detection using post-correlation analysis

Shittu, Riyanat; Healing, Alex; Ghanea-Hercock, Robert; Bloomfield, Robin; Rajarajan, Muttukrishnan

doi:10.1016/j.cose.2014.12.003

Cited by 51 publications

(23 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Clustering algorithms had been used in past to detect cyber attacks such as intrusion detection (Shittu, Healing, Ghanea-Hercock, Bloomfield, andRajarajan 2015, Casas, Mazel, andOwezarski 2012), anomaly detection (Akoglu, Tong, and Koutra 2015), and many more. The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together.…”

Section: Community Discovering and Clustering Algorithmsmentioning

confidence: 99%

“…The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together. Event correlation proposed by Shittu et al (Shittu, Healing, Ghanea-Hercock, Bloomfield, and Rajarajan 2015) use the post-correlation methods to cluster the correlated attacks together. Akoglu et al (Akoglu, Tong, and Koutra 2015) have summarized various applications of clustering approach to detect anomaly detection when the attacker is tampering sensitive data.…”

Section: Community Discovering and Clustering Algorithmsmentioning

confidence: 99%

See 1 more Smart Citation

Multimodal Graph Analysis of Cyber Attacks

Ghose

Lazos

Rozenblit

et al. 2019

2019 Spring Simulation Conference (SpringSim)

View full text Add to dashboard Cite

The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit "strong" intermodal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

show abstract

Section: Community Discovering and Clustering Algorithmsmentioning

confidence: 99%

Section: Community Discovering and Clustering Algorithmsmentioning

confidence: 99%

Multimodal Graph Analysis of Cyber Attacks

Ghose

Lazos

Rozenblit

et al. 2019

2019 Spring Simulation Conference (SpringSim)

View full text Add to dashboard Cite

show abstract

“…Shittu et.al. [19] propsed A comperhensive System for Analysing Intrusion Alerts (ACSAnIA). it contains seven components which are: (1) Offline Correlation (2) Online Correlation (3)Meta alert Comparison (4) Meta–alert Prioritisation (5)Meta–alert Clustering (6) Attack Pattern Discovery and (7) Reporting System.…”

Section: Related Workmentioning

confidence: 99%

Feature Selection Using Information Gain for Improved Structural-Based Alert Correlation

et al. 2016

View full text Add to dashboard Cite

Grouping and clustering alerts for intrusion detection based on the similarity of features is referred to as structurally base alert correlation and can discover a list of attack steps. Previous researchers selected different features and data sources manually based on their knowledge and experience, which lead to the less accurate identification of attack steps and inconsistent performance of clustering accuracy. Furthermore, the existing alert correlation systems deal with a huge amount of data that contains null values, incomplete information, and irrelevant features causing the analysis of the alerts to be tedious, time-consuming and error-prone. Therefore, this paper focuses on selecting accurate and significant features of alerts that are appropriate to represent the attack steps, thus, enhancing the structural-based alert correlation model. A two-tier feature selection method is proposed to obtain the significant features. The first tier aims at ranking the subset of features based on high information gain entropy in decreasing order. The‏ second tier extends additional features with a better discriminative ability than the initially ranked features. Performance analysis results show the significance of the selected features in terms of the clustering accuracy using 2000 DARPA intrusion detection scenario-specific dataset.

show abstract

“…Intrusion detection system has been studied by means of machine learning, and the detection rate has got improvements [12][13][14][15][16][17][18][19]. In addition, intrusion detection has been performed by using feature association technique, and the data set has been used for analysis [20][21][22][23][24][25].…”

Section: Anomaly Detectionmentioning

confidence: 99%

A Universal High-Performance Correlation Analysis Detection Model and Algorithm for Network Intrusion Detection System

Zhu

Liu

Sun

et al. 2017

Mathematical Problems in Engineering

View full text Add to dashboard Cite

In big data era, the single detection techniques have already not met the demand of complex network attacks and advanced persistent threats, but there is no uniform standard to make different correlation analysis detection be performed efficiently and accurately. In this paper, we put forward a universal correlation analysis detection model and algorithm by introducing state transition diagram. Based on analyzing and comparing the current correlation detection modes, we formalize the correlation patterns and propose a framework according to data packet timing and behavior qualities and then design a new universal algorithm to implement the method. Finally, experiment, which sets up a lightweight intrusion detection system using KDD1999 dataset, shows that the correlation detection model and algorithm can improve the performance and guarantee high detection rates.

show abstract

Intrusion alert prioritisation and attack detection using post-correlation analysis

Cited by 51 publications

References 29 publications

Multimodal Graph Analysis of Cyber Attacks

Multimodal Graph Analysis of Cyber Attacks

Feature Selection Using Information Gain for Improved Structural-Based Alert Correlation

A Universal High-Performance Correlation Analysis Detection Model and Algorithm for Network Intrusion Detection System

Contact Info

Product

Resources

About