Abstract
Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom Security Practice Team. In one scenario, our results show that false-positives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.The proposed framework is also being developed and integrated into a pre-existing Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.
Highlights
A 2013 study showed that 84% of attacked organisations had evidence of the attack in their event log files (Verizon, 2013)
The alert logs generated from both the Delimitised Zone Intrusion Detection System (IDS) and Internal IDS are analysed by A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). (These are shown in Figure 6 as DMZ IDS and INT IDS)
ACSAnIA successfully creates a margin between alerts by identifying alerts which are outliers as high priority and alerts which are common intrusion activity as low priority
Summary
A 2013 study showed that 84% of attacked organisations had evidence of the attack in their event log files (Verizon, 2013). Take for instance, in intrusion detection, an alert indicating the exploit of a known vulnerability on a host can be correlated with the host’s list of vulnerabilities. This may prove useful in validating the intrusion alert as threatening or non-threatening. IDS alerts can be grouped into high-level structures called meta-alerts. Prioritisation assigns a level of importance to each meta-alert This aids a response system in determining the order IDS alerts should be addressed. Our observation from literature is that a small amount of research has focussed on improving post-correlation methods
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
