Intrusion alert prioritisation and attack detection using post-correlation analysis

Article English OPEN
Shittu, R. ; Healing, A. ; Ghanea-Hercock, R. ; Bloomfield, R. E. ; Rajarajan, M. (2015)

Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.\ud \ud We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.\ud \ud We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom Security Practice Team. In one scenario, our results show that false-positives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.\ud \ud The proposed framework is also being developed and integrated into a pre-existing Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.
  • References (39)
    39 references, page 1 of 4

    Aggarwal, C. C., Zhao, Y., Yu, P. S., 2010. On Clustering Graph Streams. Proceedings of the 2010 SIAM International Conference on Data Mining, 478{489.

    Ahmadinejad, S. H., Jalili, S., 2009. Alert Correlation Using Correlation Probability Estimation and Time Windows. 2009 International Conference on Computer Technology and Development (1), 170{175.

    Alienvault, 2013. AlienVault Uni ed Security Management. URL

    Alireza Sadighian, J. M. F., 2013. ONTIDS: A highly exible context-aware and ontology-based alert correlation framework.

    Alsubhi, K., Aib, I., Boutaba, R., 2012. FuzMet : a fuzzy-logic based alert prioritization engine for intrusion detection systems. International Journal of Network Management 22 (4), 263{284.

    Alsubhi, K., Al-Shaer, E., Boutaba, R., 2008. Alert prioritization in Intrusion Detection Systems. NOMS 2008 - 2008 IEEE Network Operations and Management Symposium, 33{40.

    Benferhat, S., Boudjelida, A., Tabia, K., Drias, H., 2013. An intrusion detection and alert correlation approach based on revising probabilistic classi ers using expert knowledge. Applied intelligence 38 (4), 520{540.

    Breunig, M. M., Kriegel, H.-p., Ng, R. T., Sander, J., 2000. LOF : Identifying Density-Based Local Outliers. Proceedings Of The 2000 Acm Sigmod International Conference On Management Of Data, 1{12.

    Cedric Michel, L. M., 2001. Adele: An Attack Description Language For Knowledge-Based Intrusion Detection. Trusted Information, 353{368.

    Chen, S., Leung, H., Dondo, M., May 2014. Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts. In: Braun, J. J. (Ed.), SPIE Sensing Technology + Applications. International Society for Optics and Photonics, p. 912107.

  • Related Research Results (1)
  • Similar Research Results (1)
  • Metrics
    views in OpenAIRE
    views in local repository
    downloads in local repository

    The information is available from the following content providers:

    From Number Of Views Number Of Downloads
    City Research Online - IRUS-UK 0 212
Share - Bookmark