Real-Time Alert Correlation with Type Graphs

Authors:
Gianni Tedesco;Uwe Aickelin
Affiliations:
School of Computer Science, University of Nottingham, Nottingham, United Kingdom NG8 1BB;School of Computer Science, University of Nottingham, Nottingham, United Kingdom NG8 1BB
Venue:
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Year:
2008

Citing 8
Cited 2

A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
Reasoning About Complementary Intrusion Evidence

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Alert Correlation through Triggering Events and Common Resources

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Hypothesizing and reasoning about attacks missed by intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
Analyzing intensive intrusion alerts via correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Integrating innate and adaptive immunity for intrusion detection

ICARIS'06 Proceedings of the 5th international conference on Artificial Immune Systems
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security

A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs

Computer Networks: The International Journal of Computer and Telecommunications Networking
An alert correlation platform for memory-supported techniques

Concurrency and Computation: Practice & Experience

Quantified Score

Hi-index	0.00

Visualization

Abstract

The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.