Real-time alert correlation with type graphs

The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques

A graph oriented approach for network forensic analysis

Network forensic analysis is a process that analyzes intrusion evidence captured from networked environment to identify suspicious entities and stepwise actions in an attack scenario. Unfortunately, the overwhelming amount and low quality of output from security sensors make it difficult for analysts to obtain a succinct high-level view of complex multi-stage intrusions. This dissertation presents a novel graph based network forensic analysis system. The evidence graph model provides an intuitive representation of collected evidence as well as the foundation for forensic analysis. Based on the evidence graph, we develop a set of analysis components in a hierarchical reasoning framework. Local reasoning utilizes fuzzy inference to infer the functional states of an host level entity from its local observations. Global reasoning performs graph structure analysis to identify the set of highly correlated hosts that belong to the coordinated attack scenario. In global reasoning, we apply spectral clustering and Pagerank methods for generic and targeted investigation respectively. An interactive hypothesis testing procedure is developed to identify hidden attackers from non-explicit-malicious evidence. Finally, we introduce the notion of target-oriented effective event sequence (TOEES) to semantically reconstruct stealthy attack scenarios with less dependency on ad-hoc expert knowledge. Well established computation methods used in our approach provide the scalability needed to perform post-incident analysis in large networks. We evaluate the techniques with a number of intrusion detection datasets and the experiment results show that our approach is effective in identifying complex multi-stage attacks

Alert Correlation through a Multi Components Architecture

Alert correlation is a process that analyzes the raw alerts produced by one or more intrusion detection systems, reduces nonrelevant ones, groups together alerts based on similarity and causality relationships between them and finally makes aconcise and meaningful view of occurring or attempted intrusions. Unfortunately, most correlation approaches use just a few components that aim only specific correlation issues and so cause reduction in correlation rate. This paper uses a general correlation model that has already been presented in [9] and is consisted of a comprehensive set of components. Then some changes are applied in the component that is related to multi-step attack scenario to detect them better and so to improve semantic level of alerts. The results of experiments with DARPA 2000 data set obviously show the effectiveness of the proposed approach.DOI:http://dx.doi.org/10.11591/ijece.v3i4.277

Sophisticated denial-of-service attack detections through integrated architectural, OS, and appplication level events monitoring

As the first step to defend against DoS attacks, Network-based Intrusion Detection System is well explored and widely used in both commercial tools and research works. Such IDS framework is built upon features extracted from the network traffic, which are application-level features, and is effective in detecting flooding-based DoS attacks. However, in a sophisticated DoS attack, where an attacker manages to bypass the network-based monitors and launch a DoS attack locally, sniffer-based methods have difficulty in differentiating attacks with normal behaviors, since the malicious connection itself behaves in the same manner of normal connections. In this work, we study a Host-based IDS framework which integrates features from architectural and operating system (OS) levels to improve performance of sophisticated DoS intrusion detection. Network traffic collected from a campus network, and real-world exploits are used to provide a realistic evaluation

Intrusion detection system alert correlation with operating system level logs

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2009Includes bibliographical references (leaves: 63-66)Text in English; Abstract: Turkish and Englishvii, 67 leavesInternet is a global public network. More and more people are getting connected to the Internet every day to take advantage of the Internetwork connectivity. It also brings in a lot of risk on the Internet because there are both harmless and harmful users on the Internet. While an organization makes its information system available to harmless Internet users, at the same time the information is available to the malicious users as well. Most organizations deploy firewalls to protect their private network from the public network. But, no network can be hundred percent secured. This is because; the connectivity requires some kind of access to be granted on the internal systems to Internet users. The firewall provides security by allowing only specific services through it. The firewall implements defined rules to each packet reaching to its network interface. The IDS complements the firewall security by detected if someone tries to break in through the firewall or manages to break in the firewall security and tried to have access on any system in the trusted site and alerted the system administrator in case there is a breach in security. However, at present, IDSs suffer from several limitations. To address these limitations and learn network security threats, it is necessary to perform alert correlation. Alert correlation focuses on discovering various relationships between individual alerts. Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for ease to understand by human analysts. In order to be sure about the alert correlation working properly, this thesis proposed to use attack scenarios by correlating alerts on the basis of prerequisites and consequences of intrusions. The architecture of the experimental environment based on the prerequisites and consequences of different types of attacks, the proposed approach correlates alerts by matching the consequence of some previous alerts and the prerequisite of some later ones with OS-level logs. As a result, the accuracy of the proposed method and its advantage demonstrated to focus on building IDS alert correlation with OS-level logs in information security systems