Abstract
Since the rapid development of the internet, the emergence of network intrusion has become the focus of studies for scholars and security enterprises. As an important device for detecting and analyzing malicious behaviors in networks, IDS (Intrusion Detection Systems) is widely deployed in enterprises, organizations and plays a very important role in cyberspace security. The massive log data produced by IDS not only contains information about intrusion behaviors but also contains potential intrusion patterns. Through normalizing, correlating, and modeling data, we can obtain the patterns of different intrusion scenarios. Based on the previous works in the area of alert correlation and analyzing, this paper proposed a framework named IACF (Intrusion Action Based Correlation Framework), which improved the process of alert aggregating, action extraction, and scenario discovery, and applied a novel method for extracting intrusion sessions based on temporal metrics. The proposed framework utilized a new grouping method for raw alerts based on the concept of intrinsic strong correlations, rather than the conventional time windows and hyper alerts. For discovering high stable correlations between actions, redundant actions and action link modes are removed from sessions by a pruning algorithm to reduce the impact of false positives, finally, a correlation graph is constructed by fusing the pruned sessions, based on the correlation graph, a prediction method for the future attack is proposed. The experiment result shows that the framework is efficient in alert correlation and intrusion scenario construction.
Highlights
INTRODUCTIONWith the rising consciousness of information security, people paid more attention to the network security and established basic network security software and hardware infrastructures, such as IDS (Intrusion Detection Systems), IPS (Intrusion Prevention System), firewalls, and professional security systems e.g. EWS (Early Warning System), and so on
With the rising consciousness of information security, people paid more attention to the network security and established basic network security software and hardware infrastructures, such as IDS (Intrusion Detection Systems), IPS (Intrusion Prevention System), firewalls, and professional security systems e.g. EWS (Early Warning System), and so on.For large organizations, massive alerts are generated every day
For the NIDS (Network Intrusion Detection System), which is focused on analyzing and matching network packet-level anomalies, they can hardly discover the relations between packets sent by the same attacker for the shortage of context information, as a result, it is difficult to give a whole view of multistep attacks
Summary
With the rising consciousness of information security, people paid more attention to the network security and established basic network security software and hardware infrastructures, such as IDS (Intrusion Detection Systems), IPS (Intrusion Prevention System), firewalls, and professional security systems e.g. EWS (Early Warning System), and so on. The rest of this paper is organized as follows: Section 2 summarizes the related works in this field; In Section 3, the details of proposed framework are introduced, along with methods for intrusion action extraction, session rebuilding, correlation graph construction; Section 4 reports the results of evaluation experiments for the framework and algorithms. C. INTRUSION ACTION EXTRACTION Many kinds of literature calculate the association strength between alerts or hyper-alerts by similarity-based or data mining-related technologies. INTRUSION ACTION EXTRACTION Many kinds of literature calculate the association strength between alerts or hyper-alerts by similarity-based or data mining-related technologies Most of these methods are based on statistical methods, through discovering the frequent items and calculating the confidence factor to measure association strength.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
