¡@

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. The proposed method makes the following contributions: (a) It automatically identifies groups of alerts that are frequent; (b) It summarizes them into a suspicious sequence of activity, representing them with graph structures; (c) It suggests a novel graph-based dissimilarity measure. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection performance in attack coverage and tolerant the attack variations. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.

Keywords: intrusion detection, alert correlation, correlation graph, attack graph, dissimilarity measure, Markov chain, data driven, Isomap, manifold learning

Retrieve PDF document (201203_02.pdf)

Received July 16, 2010; revised December 1, 2010; accepted February 23, 2011.
Communicated by Tyng-Luh Liu.
^* This work was supported in part by the Taiwan Information Security Center (TWISC), National Science Council, Taiwan under Grants No. NSC 99-2219-E-011-004, NSC-99-2218-E-011-018 and NSC 99-2221-E-011-075-MY3.