Real-time alert correlation using stream data mining techniques

Authors:
Reza Sadoddin;Ali A. Ghorbani
Affiliations:
Information Security Centre of Excellence, Faculty of Computer Science, University of New Brunswick, Fredericton, NB, Canada;Information Security Centre of Excellence, Faculty of Computer Science, University of New Brunswick, Fredericton, NB, Canada
Venue:
IAAI'08 Proceedings of the 20th national conference on Innovative applications of artificial intelligence - Volume 3
Year:
2008

Citing 8
Cited 1

Mining frequent patterns without candidate generation

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
STATL: an attack language for state-based intrusion detection

Journal of Computer Security
Frequent Subgraph Discovery

ICDM '01 Proceedings of the 2001 IEEE International Conference on Data Mining
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
A probabilistic-based framework for infosec alert correlation

A probabilistic-based framework for infosec alert correlation

Survey A model-based survey of alert correlation techniques

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

With the large volume of alerts produced by low-level detectors, management of intrusion alerts is becoming more challenging. Alert Correlation addresses this issue by providing a condensed, yet more useful view of the network from the intrusion standpoint. In this paper, we propose a new framework for real-time alert correlation that incorporates novel techniques for aggregating alerts into structured patterns and incremental mining of frequent structured patterns. In the proposed framework, time-sensitive statistical relationships between alerts are maintained in an efficient data structure and are updated incrementally to reflect the latest trends of patterns. The results of experiments with synthetic and real-world datasets demonstrate the efficiency of the proposed techniques. Our Frequent Structure Mining algorithm scales linearly with the size of the dataset and the proposed framework can cope with the throughput of a large-scale network. The ability to answer time-sensitive queries about patterns is another advantage of this work compared to other methods.