C4.5: programs for machine learning
C4.5: programs for machine learning
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Discovery of Frequent Episodes in Event Sequences
Data Mining and Knowledge Discovery
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
LAMBDA: A Language to Model a Database for Detection of Attacks
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
Processing intrusion detection alert aggregates with time series modeling
Information Fusion
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
Using unsupervised learning for network alert correlation
Canadian AI'08 Proceedings of the Canadian Society for computational studies of intelligence, 21st conference on Advances in artificial intelligence
An alert data mining framework for network-based intrusion detection system
WISA'05 Proceedings of the 6th international conference on Information Security Applications
Hi-index | 0.24 |
The discovery of sophisticated attack sequences demands the development of significantly better alert correlation algorithms. Most of the proposed approaches in the area of multi-step attack detection have limited capabilities because they rely on various forms of predefined knowledge of attacks or attack transition patterns using attack modeling language or pre-and post-conditions of individual attacks. Therefore, those approaches cannot recognize a correlation when an attack is new or the relationship between attacks is new. In this research, we take a different view and consider alert correlation as the problem of inferring an intruder's actions as alert patterns that are constructed progressively. The work is based on a multi-layer episode mining and filtering algorithm. A decision-tree-based method is used for learning specifications of each attack pattern and detecting them in alert streams. We also used a Correlation Weight Matrix (CWM) for encoding correlation strength between attack types in the attack scenarios. One of the distinguishing features of our proposed technique is detecting novel multi-step attack scenarios, using a rule prediction method. The results have shown that our approach can effectively discover known and unknown attack strategies with high accuracy. We achieved more than 90% reduction in the number of discovered patterns while more than 95% of final patterns were actual patterns. Furthermore, our rule prediction capability showed a precise forecasting ability in guessing future alerts.