An Alert Correlation Method Based on Multi-factors

doi:10.3969/j.issn.1006-2475.2019.06.005

Abstract

Abstract: Intrusion detection system has been widely used as an important tool to protect network security, and they usually generate a large number of alerts with high redundancy and high false positive rate. Alert correlation analysis reveals the multi-step attack scenarios contained in it through the comprehensive analysis and processing of the underlying alarms. Many existing alert correlation methods rebuild attack scenarios by mining frequent patterns in historical alerts. Multi-step attack chains obtained by these methods are susceptible to redundant alerts and false positives, and can’t reflect the real multi-step attacks in some cases. Therefore, this paper proposes an alert correlation method based on multiple factors which reduces the impact of redundant alerts by aggregating the raw alerts to obtain hyper alerts, constructs hyper alerts into hyper-alert time relation graph and uses the multi-factor correlation evaluation function between hyper alerts to find multi-step attack scenarios from the time relation graph. The experimental results show that the proposed method can overcome the negative effects caused by redundant alerts and false positives and effectively mine multi-step attack scenarios.

Key words: alert correlation, multi-step attack sequence, hyper alert, relevance evaluation

CLC Number:

TP393.08

WU Dong1,2, GUO Chun1,2, SHEN Guo-wei1,2. An Alert Correlation Method Based on Multi-factors[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2019.06.005.

References

［1］国家互联网应急中心. 2017年中国互联网网络安全报告［EB/OL］. ［2019-03-25］. http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf.
［2］郭春. 基于数据挖掘的网络入侵检测关键技术研究［D］. 北京:北京邮电大学, 2014.
［3］ MIANI R S, ZARPELO B B, SOBESTO B, et al. A practical experience on evaluating intrusion prevention system event data as indicators of security issues［C］// 2015 IEEE 34th Symposium on Reliable Distributed Systems. 2016:296-305.
［4］ SALAH S, MACI-FERNNDEZ G, DAZ-VERDEJO J E. A model-based survey of alert correlation techniques［J］. Computer Networks, 2013,57(5):1289-1317.
［5］ CHEUNG S, LINDQVIST U, FONG M W. Modeling multistep cyber attacks for scenario recognition［C］// DARPA Information Survivability Conference & Exposition. 2003:284-292.
［6］ ECKMANN S T, VIGNA G, KEMMERER R A. STATL: An Attack Language for State-based Intrusion Detection［M］. IOS Press, 2012.
［7］旷庆圆,武斌,伍淳华. 基于攻击意图的安全事件关联算法［C］// 第十九届全国青年通信学术年会论文集. 2014:241-246.〖HJ1.08mm〗
［8］李之棠,王莉,李东. 一种新的在线攻击意图识别方法研究［J］. 小型微型计算机系统, 2008,29(7):1347-1352.
［9］田志宏,张永铮,张伟哲,等. 基于模式挖掘和聚类分析的自适应告警关联［J］. 计算机研究与发展, 2009,46(8):1304-1315.
［10］BAMASAK O O, BAHARETH F A . Constructing attack scenario using sequential pattern mining with correlated candidate sequences［J］. International Journal of ACM Jordan, 2013,2(3):102-108.
［11］王泽芳,袁平,黄晓芳. 一种新的多步攻击场景构建技术研究［J］. 西南科技大学学报， 2016,31(1):55-60.
［12］VALDES A, SKINNER K. Probabilistic alert correlation［C］// International Workshop on Recent Advances in Intrusion Detection. 2001:54-68.
［13］DAIN O, CUNNINGHAM R K. Fusing a heterogeneous alert stream into scenarios［C］// Proceedings of 2001 ACM Workshop on Data Mining for Security Applications. 2001:103-122.
［14］HOFMANN A, SICK B. Online intrusion alert aggregation with generative data stream modeling［J］. International Journal of Electronics & Computer Science Engineering, 2012,1(4):282-294.
［15］CHEN S, LEUNG H, DONDO M. Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts［C］// Proceedings of the SPIE on Multisensor, Multisource Intormation Fusion: Architectures, Algorithms, and Applications. 2014.
［16］NING P, CUI Y, REEVES D S, et al. Techniques and tools for analyzing intrusion alerts［J］. ACM Transactions on Information & System Security, 2004,7(2):274-318.
［17］王硕,汤光明,王建华,等. 基于因果知识网络的攻击场景构建方法［J］. 计算机研究与发展, 2018,55(12):2620-2636.
［18］黄静耘. 基于大数据分析的网络攻击场景重建系统［D］. 天津:天津理工大学, 2017.
［19］樊迪,刘静,庄俊玺,等. 基于因果知识发现的攻击场景重构研究［J］. 网络与信息安全学报, 2017,3(4):58-68.
［20］RAMAKI A A, KHOSRAVI-FARMAD M, BAFGHI A G. Real time alert correlation and prediction using Bayesian networks［C］// Proceedings of 2015 12th International Iranian Society of Cryptology Conference on Information Security & Cryptology. 2016:98-103.
［21］SHITTU R, HEALING A, GHANEA-HERCOCK R, et al. Intrusion alert prioritisation and attack detection using post-correlation analysis［J］. Computers & Security, 2015,50(C):1-15.
［22］穆成坡,黄厚宽,田盛丰. 入侵检测系统报警信息聚合与关联技术研究综述［J］. 计算机研究与发展, 2006(1):1-8.
［23］AHMED T, SIRAJ M M, ZAINAL A, et al. A taxonomy on intrusion alert aggregation techniques［C］// International Symposium on Biometrics & Security Technologies. 2015.
［24］MIT Lincoln Laboratory. 2000 DARPA Intrusion Detection Scenario Specific Dataset［EB/OL］. ［2019-03-25］. https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets.

[1]	XIAO Hang, LI Peng, MA Hui-ping, ZHU Feng, . RFID System Security Analysis Model Based on Stochastic Petri Net [J]. Computer and Modernization, 2023, 0(09): 105-114.
[2]	DAI Rui-feng. Model Construction of College Network Security System Based on SSL Virtual Technology [J]. Computer and Modernization, 2020, 0(08): 122-126.
[3]	ZHANG Yu1,2, GUO Chun1,2, SHEN Guo-wei1,2, PING Yuan3. An IDS Alerts Preprocessing Method Based on Information Entropy [J]. Computer and Modernization, 2020, 0(05): 111-.
[4]	JIANG Wan-ming1,2, GUO Chun1,2, JIANG Chao-hui1,2. A Low-rate DDoS Attack Detection Method Based on BiLSTM [J]. Computer and Modernization, 2020, 0(05): 120-.
[5]	CAO Yong-ming. A Fuzzy Keyword Search Encryption Scheme Without Secure Channel [J]. Computer and Modernization, 2020, 0(04): 42-.
[6]	WANG Yao, LI Wei, WU Ke-he, CUI Wen-chao. Application of Fusion Model of GBDT and LR in Encrypted Traffic Identification [J]. Computer and Modernization, 2020, 0(03): 93-.
[7]	QIN Lu-lu, ZHOU Li-jing, WANG Min. A Conditional Proxy Re-encryption Supporting Multi-keyword Search [J]. Computer and Modernization, 2020, 0(01): 100-.
[8]	ZHOU Li-jing, WANG Min, QIN Lu-lu . CP-ABE Scheme with Attribute Revocation Under Environment of Multi-attribute Authority [J]. Computer and Modernization, 2019, 0(11): 60-.
[9]	SONG Zi-hua1,2, GUO Chun1,2, JIANG Chao-hui1,2. A Fast Trojan Detection Method Based on Network Traffic Analysis [J]. Computer and Modernization, 2019, 0(06): 9-.
[10]	ZENG Qi, HAN Xiao, CAO Yong-ming. Integrated Public Key Encryption and Public Key Encryption with Keyword Search [J]. Computer and Modernization, 2019, 0(04): 103-.
[11]	MI Qian-kun1, WU Bin2, DU Ning1,QIN Xi1. Information System Security Risk Assessment Based on Incomplete Information Game Model [J]. Computer and Modernization, 2019, 0(04): 118-.
[12]	LIAN Geng-xiong . Trusted Mobile Application Market Based on Blockchain [J]. Computer and Modernization, 2019, 0(03): 58-.
[13]	SUN Yuan, LIAO Xiao-ping. Abnormal Data Detection Method Based on Intelligent Bat Algorithm [J]. Computer and Modernization, 2019, 0(03): 62-.
[14]	HAN Xiao, ZENG Qi, CAO Yong-ming . An Efficient Proxy Re-encryption Scheme with Keyword Search [J]. Computer and Modernization, 2019, 0(03): 117-.
[15]	WANG Tong, AI Zhong-liang, ZHANG Xian-guo. Knowledge Graph Construction of Threat Intelligence Based on Deep Learning [J]. Computer and Modernization, 2018, 0(12): 21-.