Real-time analysis of intrusion detection alerts via correlation

Abstract

With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. In addition, their content is so poor that it requires the human operator to go back to the original data source to acquire the necessary information. That is, human operators are fully responsible for analyzing a network``s status and the trends of cyber attacks. Moreover, although cyber attacks can produce multiple correlated alerts, IDSs are generally unable to detect such attacks as a complex single attack but regard each alert as a separate attack. Therefore, in the early-stage, it is difficult to detect large-scale attacks such as a distributed denial of service(DDoS) or a worm. To address this problem, many researchers have proposed a technique named alert correlation. Unfortunately, even though a number of correlation approaches have been suggested, most approaches have several limitations: shortage of practicality, additional overhead of human operators that cannot be ignored, neglect of the importance of time information, and so on. We therefore propose a fast and efficient system for analyzing alerts via correlation. In proposing the system, we focused on providing flexibility, automation, and real-time processing capability. Our system basically depends on the probabilistic correlation. However, we enhance the probabilistic correlation by applying more systematically defined similarity functions and also present a new correlation component that is absent in other correlation models. Compared with other models, our model has several advantages. First, we considered the time similarity, though this major measure of correlation is disregarded in other models, and we ...