Real-time analysis of intrusion detection alerts via correlation

Lee, Soojin; Chung, Byungchun; Kim, Heeyoul; Lee, Yunho; Park, Chan-Il; Yoon, Hyunsoo

doi:10.1016/j.cose.2005.09.004

Cited by 31 publications

(16 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most of the existing approaches in alert correlation can be categorized as similarity‐based, scenario‐based, precondition/postcondition–based, or statistical causality analysis approaches. In similarity‐based methods , the correlation probability between alerts is estimated on the basis of the similarity of their attributes. Methods in this category can be classified into two subgroups: knowledge‐based methods that require some expert knowledge in the form of alert type similarity to find correlated alerts and inference‐based methods that specify the causally related alerts by using statistical or machine‐learning techniques.…”

Section: Related Workmentioning

confidence: 99%

A Bayesian network‐based approach for learning attack strategies from intrusion alerts

Kavousi

Akbari

2013

Security Comm Networks

View full text Add to dashboard Cite

A tremendous number of low-level alerts reported by information security systems clearly reflect the need for an advanced alert correlation system to reduce alert redundancy, correlate security alerts, detect attack strategies, and take appropriate actions against upcoming attacks. Up to now, a variety of alert correlation methods have been suggested. However, most of them rely on a priori and hard-coded domain expert knowledge that leads to their difficult implementation and limited capabilities of detecting new attack strategies. To overcome the drawbacks of these approaches, the recent trend of research in alert correlation has gone towards extracting attack strategies through automatic analysis of intrusion alerts. In line with the recent researches, in this paper, we present new algorithms to automatically mine attack behavior patterns from historical alerts as accurately and efficiently as possible. Our system is composed of two main components. The first offline component automatically generates correlation rules by analyzing the previously observed alerts using a Bayesian causality analysis mechanism. Then, in the online alert correlation component, alerts are correlated using a hierarchical scheme and based on the extracted rules. Our experimental results clearly show efficiency of the proposed method in learning new attack strategies.

show abstract

Section: Related Workmentioning

confidence: 99%

A Bayesian network‐based approach for learning attack strategies from intrusion alerts

Kavousi

Akbari

2013

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…Correspondingly, they can be used to correlate previously unseen attacks. Meanwhile, correlation techniques, which identify similarities between events largely use clustering techniques to group them based on their features [23]. A general drawback of these approaches is that empirically acquired domain knowledge is required to configure the clustering mechanisms, although some exceptions exist [24].…”

Section: Resilience Strategy Deploymentmentioning

confidence: 99%

Management patterns: SDN-enabled network resilience management

Smith

Schaeffer-Filho

Hutchison

et al. 2014

2014 IEEE Network Operations and Management Symposium (NOMS)

View full text Add to dashboard Cite

Software-defined networking provides abstractions and a flexible architecture for the easy configuration of network devices, based on the decoupling of the data and control planes. This separation has the potential to considerably simplify the implementation of resilience functionality (e.g., traffic classification, anomaly detection, traffic shaping) in future networks. Although software-defined networking in general, and OpenFlow as its primary realisation, provide such abstractions, support is still needed for orchestrating a collection of OpenFlow-enabled services that must cooperate to implement network-wide resilience. In this paper, we describe a resilience management framework that can be readily applied to this problem. An important part of the framework are policy-controlled management patterns that describe how to orchestrate individual resilience services, implemented as OpenFlow applications.

show abstract

“…The key part of this algorithm is the compute of alarms correlation degree. Currently, related algorithm are being widely studied [11,12,13], and it is not the important point of this paper, so we just choose the real time method of literature [14].…”

Section: Reappearance Of Intrusion Scenariomentioning

confidence: 99%

A Data-Fusion-Based Method for Intrusion Detection System in Networks

Zhao¹,

Jiang²,

Jiao³

2009

IJIEEB

View full text Add to dashboard Cite

Hackers' attacks are more and more intelligent, which makes it hard for single intrusion detection methods to attain favorable detection result. Therefore, many researches have carried out how to combine multiple security measures to provide the network system more effective protection. However, so far none of those methods can achieve the requirement of the practical application. A new computer information security protection system based on data fusion theory is proposed in this paper. Multiple detection measures are "fused" in this system, so that it has lower false negatives rate and false positive rate as well as better scalabilities and robust.

show abstract

Real-time analysis of intrusion detection alerts via correlation

Cited by 31 publications

References 10 publications

A Bayesian network‐based approach for learning attack strategies from intrusion alerts

A Bayesian network‐based approach for learning attack strategies from intrusion alerts

Management patterns: SDN-enabled network resilience management

A Data-Fusion-Based Method for Intrusion Detection System in Networks

Contact Info

Product

Resources

About