Abstract
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. The main purpose of this paper is to propose a new IDS alert correlation method to detect attack scenarios in real-time. The proposed method is based on causal approach due to the strength of causal methods in practice. Most of causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method the knowledge base of attack patterns is represented in a graph model called Causal Relations Graph. In offline, we construct some trees related to alerts probable correlations. In real-time for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Thus processing time of each alert decreases significantly. In addition, the proposed method is immune to the deliberately slowed attacks. To verify the proposed method, it was implemented in C++ and we used DARPA2000 dataset to test it. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the run time.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
