Critical Episode Mining in Intrusion Detection Alerts

@article{Soleimani2008CriticalEM,
  title={Critical Episode Mining in Intrusion Detection Alerts},
  author={Mahboobeh Soleimani and Ali A. Ghorbani},
  journal={6th Annual Communication Networks and Services Research Conference (cnsr 2008)},
  year={2008},
  pages={157-164}
}
One of the most important steps in attack detection using Intrusion Detection Systems (IDSs) is dealing with huge number of alerts that can be either critical single alerts and multi-step attack scenarios or false alerts and non-critical ones. In this paper we try to address the problem of managing alerts via a multi-layer alert correlation and Itering that can identify critical alerts after each step of correlation and Itering. After applying the approach on LL DDoS 1.0 data set, we achieved… 
Alert correlation by a retrospective method
TLDR
A method for alert correlation through results tracing back to reasons according to hacker attacks linked to a certain sequence characteristics is presented, which can found internal relations of invasion, to accurately identify intrusion targets.
A hybrid alarm management strategy in signature-based intrusion detection systems
TLDR
A comparative analysis of two approaches that consider the false alarm minimization and alarm correlation techniques is presented, providing the elements to propose a parallelizable strategy designed to achieve better results in terms of precision, recall and alarm load reduction in the prioritization of alarms.
Alert Correlation through Results Tracing back to Reasons
TLDR
A method for alert correlation through results tracing back to reasons according to hacker attacks linked to a certain sequence characteristics is presented, which can found internal relations of invasion, to accurately identify intrusion targets.
False alarm minimization techniques in signature-based intrusion detection systems: A survey
TLDR
This paper gives a taxonomy of false alarm minimization techniques in signature-based IDS and presents the pros and cons of each class and concludes with some directions to the future research.
A systematic survey on multi-step attack detection
TLDR
This survey aims to gather all the publications proposing multi-step attack detection methods as mechanisms to reveal attack scenarios composed of digital traces left by attackers.
Polygraph: System for Dynamic Reduction of False Alerts in Large-Scale IT Service Delivery Environments
TLDR
Polygraph is a novel architecture for automated tuning of monitoring policies towards reducing false alerts, which integrates multiple types of service management data into an active-learning approach to automated generation of new monitoring policies.
Boosting performance in attack intention recognition by integrating multiple techniques
TLDR
The proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.
An orchestration approach for unwanted Internet traffic identification
TLDR
The specification of a new orchestration-based approach to detect, and, as far as possible, to limit the actions of these coordinated attacks is presented.
Temporal mining for distributed systems
TLDR
The application to system event mining is still in a rudimentary stage, most of works are still focusing on episodes mining or frequent pattern discovering, and these methods provide little actionable knowledge to help the system administrators to better manage the systems.

References

SHOWING 1-10 OF 37 REFERENCES
Correlating Alerts Using Prerequisites of Intrusions
TLDR
The proposed approach provides a high-level representation of the correlated alerts and reveals the structure of series of attacks and can potentially be applied to predict attacks in progress and allows the intrusion response systems to take appropriate actions to stop the on-going attacks.
Alert correlation in a cooperative intrusion detection framework
  • F. Cuppens, A. Miège
  • Computer Science
    Proceedings 2002 IEEE Symposium on Security and Privacy
  • 2002
TLDR
This paper presents the work done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS), and focuses on the approach to design the correlation function.
Alert Correlation for Extracting Attack Strategies
TLDR
This paper focuses on developing a new alert correlation technique that can help to automatically extract attack strategies from a large volume of intrusion alerts, without specific prior knowledge about these alerts.
An Intrusion Alert Correlator Based on Prerequisites of Intrusions
TLDR
This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is the first step to address the problem of large amount of alerts in situations where there are intensive intrusive actions.
Time series modeling for IDS alert management
TLDR
This paper presents the findings regarding the causes of background noise of intrusion detection systems, and one approach for monitoring the noise with reasonable user load is proposed, based on modeling regularities in alert flows with classical time series methods.
Data mining and machine learning - Towards reducing false positives in intrusion detection
TLDR
Two orthogonal and complementary approaches to reduce the number of false positives in intrusion detection using alert postprocessing by data mining and machine learning are presented.
An Alert Data Mining Framework for Network-Based Intrusion Detection System
TLDR
The proposed alert data mining framework performs alert correlation analysis by using mining tasks such as axis-based association rule, axis- based frequent episodes and order-based clustering, and provides the capability of classifying false alarms in order to reduce false alarms from intrusion detection system.
Statistical Causality Analysis of INFOSEC Alert Data
TLDR
The results show that the approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated, and complements other approaches that use hard-coded prior knowledge for pattern matching.
Managing alerts in a multi-intrusion detection environment
  • F. Cuppens
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
TLDR
This paper suggests specifications for three functions of intrusion detection: alert base management, alert clustering and alert merging, compliant with theIDMEF format currently being defined at the IETF.
Fusing A Heterogeneous Alert Stream Into Scenarios
TLDR
An algorithm for fusing the alerts produced by multiple heterogeneous intrusion detection systems is presented, which can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios.
...
1
2
3
4
...