Content area
Full Text
Abstract- Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques. Consequently, automated detection and timely response systems such as Network Intrusion Detection Systems (NIDS) are urgently needed to detect abnormal activities by monitoring network traffic and system events. The current implementation of NIDS generates huge volumes of alerts overwhelming the security analyst which makes event observation tedious. Hence, an alert correlation and aggregation technique is proposed to provide a complementary analysis to link elementary alerts and provide a more global intrusion view. We have proposed a framework for alert correlation to discover the logical relationships between atomic alerts potentially incorporated in multi-stage attacks and to remove data redundancy. The correlation process is essentially modularized based on an extension of the properties and characteristics of the requires/provides model. The aggregation of alerts is based on graph reduction techniques that remove duplication in vertex set and migrating connecting edges to a nominated node. The resulting attack graph consists of nodes representing aggregated alerts and edges representing the casual relationships. The experimental results have showed an efficient capability to detect attack scenarios and to reduce generated security alerts.
Keywords-Intrusion detection systems; Alert correlation; Alert aggregation; Multi-stage attack
I. INTRODUCTION
Malicious attacks by intruders and hackers exploit flaws and weaknesses in the deployed systems. This is done by several sophisticated techniques cannot be prevented by traditional measures. Hackers are shifting their focus from looking for fame and advertised attacks to profit-oriented activities. The current trends in cyber attacks are hidden, slow-and-low, and coordinated. NIDS are considered to be important security tools to defend against such threats. The effectiveness of any NIDS depends on its ability to recognize different variations of cyber attacks. The current implementation of intrusion detection systems (commercial and open-source) is employing signature-based detection in addition to few simple techniques for statistical analysis. The main task of signature-based systems is to inspect the network traffic and perform pattern matching to detect attacks and generate alerts. A huge number of alerts are generated every day stressing the administrator; this may oversight an actual threat. Quality of these alerts is debatable particularly if the majority is false positives. For this reason, high-level and real-time analysis techniques are needed. This...