Alert correlation

With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.

ABSTRACT Digital control systems are essential to the safe and efficient operation of a variety of industrial processes in sectors such as electric power, oil and gas, water treatment, and manufacturing. Modern control systems are increasingly connected to other control systems as well as to corporate systems. They are also increasingly adopting networking technology and system and application software from conventional enterprise systems. These trends can make control systems vulnerable to cyber attack, which in the case of control systems may impact physical processes causing environmental harm or injury. We present some results of the DATES (Detection and Analysis of Threats to the Energy Sector) project, wherein we adapted and developed several intrusion detection technologies for control systems. The suite of detection technologies was integrated and connected to a commercial security event correlation framework from ArcSight. We demonstrated the efficacy of our detection and correlation solution on two coupled testbed environments. We particularly focused on detection, correlation, and visualization of a network traversal attack, where an attacker penetrates successive network layers to compromise critical assets that directly control the underlying process. Such an attack is of particular concern in the layered architectures typical of control system implementations.

ABSTRACT Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be ...

Summary With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. In this paper, we present an alert correlation technique based on causal relationships between alerts. The goal of the proposed technique is not only to group alerts together, but also to represent the correlated alerts in a way that they reflect the corresponding attack scenarios.

Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts

The number of crime committed based on the malware intrusion is never ending as the number of malware variants is growing tremendously and the usage of internet is expanding globally. Malicious codes easily obtained and use as one of weapon to gain their objective illegally. Hence, in this research, diverse logs from different OSI layer are explored to identify the traces left on the attacker and victim logs in order to establish worm trace pattern to defending against the attack and help revealing true attacker or victim. For the purpose of this paper, it focused on malware intrusion and traditional worm namely sasser worm variants. The concept of trace pattern is created by fusing the attacker's and victim's perspective. Therefore, the objective of this paper is to propose a general worm trace pattern for attacker's, victim's and multi-step (attacker/victim)'s by combining both perspectives. These three proposed worm trace patterns can be extended into research areas in alert correlation and computer forensic investigation.

By virtue of these different ap-proaches, each correlator is capable of reasoning about a distinct portion of the overall attack space. Notionally, correlators can cover, possibly overlapping, portions of an attack space. Collectively they can provide useful infor-mation over a broader array ...

The number of malware variants is growing tremendously and the study of malware attacks on the Internet is still a demanding research domain. In this research, various logs from different OSI layer are explore to identify the traces leave on the attacker and victim logs, and the attack worm trace pattern are establish in order to reveal true attacker or victim. For the purpose of this paper, it will only concentrate on cybercrime that caused by malware network intrusion and used the traditional worm namely blaster worm variants. This research creates the concept of trace pattern by fusing the attackers and victims perspective. Therefore, the objective of this paper is to propose on attackers, victims and multistep, attacker or victim, trace patterns by combining both perspectives. These three proposed worm trace patterns can be extended into research areas in alert correlation and computer forensic investigation.

The traditional worms such as Blaster, Code Red, Slammer and Sasser, are still infecting vulnerable machines on the internet. They will remain as significant threats due to their fast spreading nature on the internet. Various traditional worms attack pattern has been analyzed from various logs at different OSI layers such as victim logs, attacker logs and IDS alert log. These worms attack pattern can be abstracted to form worms' attack model which describes the process of worms' infection. For the purpose of this paper, only Blaster variants were used during the experiment. This paper proposes a multi-step worm attack model which can be extended into research areas in alert correlation and computer forensic investigation.

We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.

In this paper we analyze the use of different types of statistical tests for the correlation of anomaly detection alerts. We show that the Granger Causality Test, one of the few proposals that can be extended to the anomaly detection domain, strongly depends on good choices of a parameter which proves to be both sensitive and difficult to estimate. We

Abstract: Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence,
is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such
analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts
included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation
algorithms which attempt to minimize the impact of this attack.

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability . We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator....

Juan Manuel Madrid, Luis Eduardo Múnera, Carlos Andrey Montoya, Juan David Osorio, Luis Ernesto Cárdenas ICT Department Universidad Icesi Cali, Colombia ... Rodrigo Bedoya Cristian Latorre Sistemas TGR, SA Cali, Colombia ... Abstract—Security consoles are among the ...

One of the most important challenges facing the intrusion detection systems (IDSs) is the huge number of generated alerts. A system administrator will be overwhelmed by these alerts in such a way that she/he cannot manage and use the alerts. The best-known solution is to correlate low-level alerts into a higher level attack and then produce a high-level alert for them. In this paper a new automated alert correlation approach is presented. It employs Fuzzy Logic and Artificial Immune System (AIS) to discover and learn the degree of correlation between two alerts and uses this knowledge to extract the attack scenarios. The proposed system doesn't need vast domain knowledge or rule definition efforts. To correlate each new alert with previous alerts, the system first tries to find the correlation probability based on its fuzzy rules. Then, if there is no matching rule with the required matching threshold, it uses the AIRS algorithm. The system is evaluated using DARPA 2000 dataset ...

To defend against multi-step intrusions in high-speed networks, efficient algorithms are needed to correlate isolated alerts into attack scenarios. Existing correlation methods usually employ an in-memory index for fast searches among received alerts. With finite memory, the index can only be built on a limited number of alerts inside a sliding window. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively injecting bogus alerts ...

Protecting and assuring confidential information on the internet is a crucial need. Many organizations have installed multiple security sensors for complete monitoring and detection (for example the deployment of network-based Intrusion Detection Systems (NIDSs) in a distributed network). In effect, an enormous number of alerts are generated in a different kind of formats. This overburden the Security Analyst (SA) to conduct manual alert correlation (AC) since it would be tedious, labour intensive and worst, error prone. One of the important tasks in the AC is recognizing the causes of the alerts. Therefore, in this paper we propose a new AC approach that based on classification method in order to recognize the causes of known and new incoming alerts. The classification is designed using hybridization of statistical Improved Unit Range (IUR) to scale the alerts, Principal Component Analysis (PCA) to reduce the dimensionality of raw alerts, and Levenberg-Marquardt (LM) Backpropagatio...

Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., 220 monitored machines) to yield timely alerts and avoid false positives. Worm detection techniques for smaller local networks have not been fully explored. We consider how local networks can provide early detection and compliment global monitoring strategies. We describe HoneyStat, which uses modified honeypots to generate a highly accurate alert stream with low false positive rates. Unlike traditional highly-interactive honeypots, HoneyStat nodes are script-driven, automated, and cover a large IP space. The HoneyStat nodes generate three classes of alerts: memory alerts (based on buffer overflow detection and process management), disk write alerts (such as writes to registry keys and critical files) and network alerts. Data collection is automated, and once an alert is issued, a time segment of previous traffic to the node is analyzed. A logit analysis determines what previous network activity explains the current honeypot alert. The result can indicate whether an automated or worm attack is present. We demonstrate HoneyStat’s improvements over previous worm detection techniques. First, using trace files from worm attacks on small networks, we demonstrate how it detects zero day worms. Second, we show how it detects multi vector worms that use combinations of ports to attack. Third, the alerts from HoneyStat provide more information than traditional IDS alerts, such as binary signatures, attack vectors, and attack rates. We also use extensive (year long) trace files to show how the logit analysis produces very low false positive rates.

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Several complementary alert correlation methods have been proposed to address this problem. As one of these methods, we have developed a framework to correlate intrusion alerts using prerequisites of intrusions. In this paper, we continue this work to study the feasibility of this method in analyzing real-world, intensive intrusions. In particular, we develop three utilities (called adjustable graph reduction, focused analysis, and graph decomposition) to facilitate the analysis of large sets of correlated alerts. We study the effectiveness of the alert correlation method and these utilities through a case study with the network traffic captured at the DEF CON 8 Capture the Flag (CTF) event. Our results show that these utilities can simplify the analysis of large amounts of alerts, and also reveals several attack strategies that were repeatedly used in the DEF CON 8 CTF event.