Intrusion Alerts Analysis Using Attack Graphs and Clustering

Network and information security is very crucial in keeping large information infrastructures safe and secure. Many researchers have been working on different issues to strengthen and measure security of a network. An important problem is to model security in order to apply analysis schemes efficiently to that model. An attack graph is a tool to model security of a network which considers individual vulnerabilities in a global view where individual hosts are interconnected. The analysis of intrusion alert information is very important for security evaluation of the system. Because of the huge number of alerts raised by intrusion detection systems, it becomes difficult for security experts to analyze individual alerts. Researchers have worked to address this problem by clustering individual alerts based on similarity in their features such as source IP address, destination IP address, port numbers and others. In this paper, a different method for clustering intrusion alerts is proposed. Sequences of intrusion alerts are prepared by dividing all alerts according to specified time interval. The alert sequences are considered as temporal attack graphs. The sequences are clustered using graph clustering technique, which considers similarity in sequences as a factor to determine closeness of sequences. The suggested approach combines the concept of attack graphs and clustering on sequences of alerts using graph clustering technique

Intelligent Clustering with PCA and Unsupervised Learning Algorithm in Intrusion Alert Correlation

As security threats advance in a drastic way, most of the organizations implement multiple Network Intrusion Detection Systems (NIDSs) to optimize detection and to provide comprehensive view of intrusion activities. But NIDSs trigger a massive amount of alerts even for a day and overwhelmed security experts. Thus, automated and intelligent clustering is important to reveal their structural correlation by grouping alerts with common attributes. We propose a new hybrid clustering model based on Improved Unit Range (IUR), Principal Component Analysis (PCA) and unsupervised learning algorithm (Expectation Maximization) to aggregate similar alerts and to reduce the number of alerts. We tested against other unsupervised learning algorithms to validate the performance of the proposed model. Our empirical results show using DARPA 2000 dataset the proposed model gives better results in terms of the clustering accuracy and processing time