Multilevel event correlation based on collaboration and temporal causal correlation

Authors:
Ting Gu;Debao Xiao;Xuejiao Liu;Xue Xia
Affiliations:
Institute of Computer Network and Communication, Dept. Computer Science, Huazhong Normal University, Wuhan, P.R.China;Institute of Computer Network and Communication, Dept. Computer Science, Huazhong Normal University, Wuhan, P.R.China;Institute of Computer Network and Communication, Dept. Computer Science, Huazhong Normal University, Wuhan, P.R.China;Institute of Computer Network and Communication, Dept. Computer Science, Huazhong Normal University, Wuhan, P.R.China
Venue:
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Year:
2009

Citing 9
Cited 1

Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection

Journal of Computer Security
Aggregation and Correlation of Intrusion-Detection Alerts

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
A Comprehensive Approach to Intrusion Detection Alert Correlation

IEEE Transactions on Dependable and Secure Computing
Alert Verification Based on Attack Classification in Collaborative Intrusion Detection

SNPD '07 Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing - Volume 02
TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation

Advanced Engineering Informatics

Security alert correlation using growing neural gas

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion detection System (IDS) always focus on low-level attacks and raise attacks independently, though there may be logical connections between them. Meanwhile, the number of alerts becomes unmanageable including actual alerts mixed with false alerts. Therefore, improved techniques are needed. The general idea in this paper is to introduce collaboration achieved by taking advantage of various kinds of contextual information and thus enable IDS to correctly identify successful attacks while simultaneously reducing the number of false positives. In this paper, a multilevel event correlation structure is proposed by firstly assigning each alert a value of confidence using contextual information and then correlates the preprocessed alerts based on improved temporal causal correlation combining with confidence value. At the end, a scenario graph and a high-level alert with final confidence are presented, which indicates the reliability of attacks launched through specific path. Through the experimental results with DARPA Data sets 2000 from Lincoln laboratory, it demonstrates the potential of the proposed techniques.