An Intrinsic Graphical Signature Based on Alert Correlation Analysis for Intrusion Detection

• Published in: Journal of Information Science and Engineering Vol. 28; no. 2; pp. 243 - 262
• Main Authors: 鮑興國(Hsing-Kuo Pao), 毛敬豪(Ching-Hao Mao), 李漢銘(Hahn-Ming Lee), 陳啟東(Chi-Dong Chen), Christos Faloutsos
• Format: Journal Article
• Language: English
• Published: Taipei 社團法人中華民國計算語言學學會 01.03.2012; Institute of Information Science, Academia sinica
• Subjects: Applied sciences; Artificial intelligence; Computer science; control theory; systems; Construction; Correlation; Data processing. List processing. Character string processing; Detectors; Exact sciences and technology; Intrusion; Learning; Manifolds; Mathematical models; Memory and file management (including protection and security); Memory organisation. Data processing; Signatures; Software; Markov chain; dissimilarity measure; attack graph; correlation graph; intrusion detection; alert correlation; data driven; Isomap; manifold learning; Data privacy; Similarity; Activity; Intruder detector; Data driven modelling; Modeling; Multidimensional analysis; Classification; Reduced order systems; Correlation detection; Computer security; High performance; Isometry; Proximity; Probabilistic approach; Graph theory; Graphics; Dimension reduction; Correlation analysis; Expertise; Intrusion detection systems
• ISSN: 1016-2364
• DOI: 10.6688/JISE.2012.28.2.2

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. The proposed method makes the following contributions: (a) It automatically identifies groups of alerts that are frequent; (b) It summarizes them into a suspicious sequence of activity, representing them with graph structures; (c) It suggests a novel graph-based dissimilarity measure. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection performance in attack coverage and tolerant the attack variations. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.