Scheduled System Maintenance:
On April 27th, single article purchases and IEEE account management will be unavailable from 2:00 PM - 4:00 PM ET (18:00 - 20:00 UTC).
We apologize for the inconvenience.
By Topic

Real-time attack scenario detection via intrusion detection alert correlation

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
3 Author(s)
Zali, Z. ; Electr. & Comput. Eng., Isfahan Univ. of Technol., Isfahan, Iran ; Hashemi, M.R. ; Saidi, H.

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. The main purpose of this paper is to propose a new IDS alert correlation method to detect attack scenarios in real-time. The proposed method is based on causal approach due to the strength of causal methods in practice. Most of causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method the knowledge base of attack patterns is represented in a graph model called Causal Relations Graph. In offline, we construct some trees related to alerts probable correlations. In real-time for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Thus processing time of each alert decreases significantly. In addition, the proposed method is immune to the deliberately slowed attacks. To verify the proposed method, it was implemented in C++ and we used DARPA2000 dataset to test it. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the run time.

Published in:

Information Security and Cryptology (ISCISC), 2012 9th International ISC Conference on

Date of Conference:

13-14 Sept. 2012