Data Reduction in Intrusion Alert Correlation
Gianni Tedesco, Uwe Aickelin
TL;DR
This paper addresses the challenge of analyzing low-level network intrusion alerts by proposing modified correlation algorithms that reduce extraneous alerts, thereby improving attack graph clarity for better detection and analysis.
Contribution
It introduces novel alert correlation algorithms designed to minimize extraneous alerts caused by flooding attacks, enhancing attack graph analysis.
Findings
Modified algorithms effectively reduce extraneous alerts.
Improved clarity of attack graphs for human analysis.
Enhanced detection of genuine attack structures.
Abstract
Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Information and Cyber Security · Advanced Malware Detection Techniques