Previous [ 1] [ 2] [ 3] [ 4] [ 5] [ 6] [ 7] [ 8] [ 9] [ 10] [ 11] [ 12]

@

Journal of Information Science and Engineering, Vol. 28 No. 2, pp. 243-262 (March 2012)

An Intrinsic Graphical Signature Based on Alert Correlation Analysis for Intrusion Detection*

HSING-KUO PAO1, CHING-HAO MAO2, HAHN-MING LEE1,3, CHI-DONG CHEN1 AND CHRISTOS FALOUTSOS4
1Department of Computer Science and Information Engineering
National Taiwan University of Science and Technology
Taipei, 106 Taiwan
2Institute for Information Industry
Taipei, 106 Taiwan
3Institute of Information Science
Academic Sinica
Taipei, 115 Taiwan
4Department of Computer Science
Carnegie Mellon University
Pittsburgh, 15232 U.S.A.

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. The proposed method makes the following contributions: (a) It automatically identifies groups of alerts that are frequent; (b) It summarizes them into a suspicious sequence of activity, representing them with graph structures; (c) It suggests a novel graph-based dissimilarity measure. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection performance in attack coverage and tolerant the attack variations. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.

Keywords: intrusion detection, alert correlation, correlation graph, attack graph, dissimilarity measure, Markov chain, data driven, Isomap, manifold learning

Full Text () Retrieve PDF document (201203_02.pdf)

Received July 16, 2010; revised December 1, 2010; accepted February 23, 2011.
Communicated by Tyng-Luh Liu.
* This work was supported in part by the Taiwan Information Security Center (TWISC), National Science Council, Taiwan under Grants No. NSC 99-2219-E-011-004, NSC-99-2218-E-011-018 and NSC 99-2221-E-011-075-MY3.