Real-time attack scenario detection via intrusion detection alert correlation

Real-time attack scenario detection via intrusion detection alert correlation

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. The main purpose of this paper is to propose a new IDS alert correlation method to detect attack scenarios in rea...

Full description

Saved in:
Bibliographic Details
Published in:2012 9th International ISC Conference on Information Security and Cryptology pp. 95 - 102
Main Authors: Zali, Z., Hashemi, M. R., Saidi, H.
Format: Conference Proceeding
Language:English
Published: IEEE 01-09-2012
Subjects:
Alert
Alert Correlation
Algorithm design and analysis
Attack
Attack Scenario
Correlation
Graph
Intrusion
Intrusion Detection System
IP networks
Knowledge based systems
Memory management
Real-time systems
Security
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. The main purpose of this paper is to propose a new IDS alert correlation method to detect attack scenarios in real-time. The proposed method is based on causal approach due to the strength of causal methods in practice. Most of causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method the knowledge base of attack patterns is represented in a graph model called Causal Relations Graph. In offline, we construct some trees related to alerts probable correlations. In real-time for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Thus processing time of each alert decreases significantly. In addition, the proposed method is immune to the deliberately slowed attacks. To verify the proposed method, it was implemented in C++ and we used DARPA2000 dataset to test it. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the run time.
ISBN:9781467323871
146732387X
DOI:10.1109/ISCISC.2012.6408197