Discovering Attackers Past Behavior to Generate Online Hyper-Alerts

Cláudio Toshio Kawakani, Sylvio Barbon, Rodrigo Sanches Miani, Michel Cukier, Bruno Bogaz Zarpelão


To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most common strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real dataset from the University of Maryland. The results showed that the proposed approach could properly identify the attack strategy patterns from historical alerts, and organize the upcoming alerts into a smaller amount of meaningful hyper-alerts.

Texto completo:

PDF (English)


Ahmad, A., Hadgkiss, J., and Ruighaver, A. B. (2012). Incident response teams - challenges in supporting the organisational security function. Comput. Secur., 31(5):643–652. DOI:10.1016/j.cose.2012.04.001 [Google Schlar]

Alvarenga, S. C., Junior, S. B., Miani, R. S., Cukier, M., and Zarpelao, B. B. (2015). Discovering attack strategies using process mining. In AICT 2015 : The Eleventh Advanced International Conference on Telecommunications, pages 119–125. [Google Scholar]

Brown, C., Cowperthwaite, A., Hijazi, A., and Somayaji, A. (2009). Analysis of the 1999 darpa/lincoln laboratory ids evaluation data with netadhict. In 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pages 1–7. DOI:10.1109/CISDA.2009.5356522 [Google Scholar]

Debar, H. (2002). An introduction to intrusion-detection systems. In Proceedings of Connect 2000. [Google Scholar]

GhasemiGol, M. and Ghaemi-Bafghi, A. (2015). E-correlator: an entropy-based alert correlation system. Security and Communication Networks, 8(5):822–836. DOI:10.1002/sec.1039 [Google Scholar]

Jain, A. K., Murty, M. N., and Flynn, P. J. (1999). Data clustering: A review. ACM Comput. Surv., 31(3):264–323. DOI:10.1145/331499.331504 [Google Scholar]

Julisch, K. (2003). Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur., 6(4):443–471. DOI:10.1145/950191.950192 [Google Scholar]

Kawakani, C. T., Junior, S. B., Miani, R. S., Cukier, M., and Zarpelao, B. B. (2016). Intrusion alert correlation to support security management. In XII Brazilian Symposium on Information Systems - Information Systems in the Cloud Computing Era, pages 313–320. [BDBComp] [Google Scholar]

Kerns, G. J. (2011). Introduction to Probability and Statistics Using R. Free Software Foundation, first edition. [Google Scholar]

Lagzian, S., Amiri, F., Enayati, A., and Gharaee, H. (2012). Frequent item set miningbased alert correlation for extracting multi-stage attack scenarios. In Telecommunications (IST), 2012 Sixth International Symposium on, pages 1010–1014. DOI:10.1109/ISTEL.2012.6483134 [Google Scholar]

Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1):16 – 24. DOI:10.1016/j.jnca.2012.09.004 [Google Scholar]

Liu, L., Zheng, K., and Yang, Y. (2010). An intrusion alert correlation approach based on finite automata. In Communications and Intelligence Information Security (ICCIIS), 2010 International Conference on, pages 80–83. DOI:10.1109/ICCIIS.2010.37 [Google Scholar]

Liu, Z., Wang, C., and Chen, S. (2008). Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In Information Security and Assurance, 2008. ISA 2008. International Conference on, pages 214–219. DOI:10.1109/ISA.2008.11 [Google Scholar]

Macfarlane, P. A. (1996). Kansas geological survey, dakota aquifer program - ward’s method.

McHugh, J. (2000). Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur., 3(4):262–294. DOI:10.1145/382912.382923 [Google Scholar]

Mitchell, R. and Chen, I.-R. (2014). A survey of intrusion detection in wireless network applications. Computer Communications, 42(0):1 – 23.

Ning, P. and Xu, D. (2003). Learning attack strategies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pages 200–209, New York, NY, USA. ACM. DOI:10.1016/j.comcom.2014.01.012 [Google Scholar]

Niwattanakul, S., Singthongchai, J., Naenudorn, E., and Wanapu, S. (2013). Using of jaccard coefficient for keywords similarity. In Proceedings of the International MultiConference of Engineers and Computer Scientists, volume 1, page 6. [Google Scholar]

Patel, A., Qassim, Q., and Wills, C. (2010). A survey of intrusion detection and prevention systems. Information Management & Computer Security, 18(4):277–290. DOI:10.1108/09685221011079199 [Google Scholar]

Ruefle, R., Dorofee, A., Mundie, D., Householder, A., Murray, M., and Perl, S. (2014). Computer security incident response team development and evolution. Security Privacy, IEEE, 12(5):16–26. DOI:10.1109/MSP.2014.89 [Google Scholar]

Scarfone, K. and Mell, P. (2007). Guide to intrusion detection and prevention systems (idps). Technical report, National Institute of Standards and Technology. Special Publication 800-94. [Google Scholar]

Shameli-Sendi, A., Aghababaei-Barzegar, R., and Cheriet, M. (2016). Taxonomy of information security risk assessment (isra). Computers & Security, 57:14 – 30. DOI:10.1016/j.cose.2015.11.001 [Google Scholar]

Shiravi, A., Shiravi, H., Tavallaee, M., and Ghorbani, A. A. (2012). Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers & Security, 31(3):357 – 374. DOI:10.1016/j.cose.2011.12.012 [Google Scholar]

Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., and Rajarajan, M. (2015). Intrusion alert prioritisation and attack detection using post-correlation analysis. Computers & Security, 50:1 – 15. DOI:10.1016/j.cose.2014.12.003 [Google Scholar]

Spathoulas, G. P. and Katsikas, S. K. (2013). Enhancing ids performance through comprehensive alert post-processing. Comput. Secur., 37:176–196. DOI:10.1016/j.cose.2013.03.005 [Google Scholar]

Stallings, W. and Brown, L. (2007). Computer Security: Principles and Practice. Prentice Hall Press, Upper Saddle River, NJ, USA, 1st edition.

Stavroulakis, P. P. and Stamp, M., editors (2010). Handbook of Information and Communication Security. Springer Science & Business Media. [Google Scholar]

Treinen, J. J. and Thurimella, R. (2006). A framework for the application of association rule mining in large intrusion detection infrastructures. In Proceedings of the 9th International Conference on Recent Advances in Intrusion Detection, RAID’06, pages 1–18, Berlin, Heidelberg. Springer-Verlag. DOI:10.1007/11856214_1 [Google Scholar]

Vacca, J. (2013). Computer and information security handbook. Morgan Kaufmann, Amsterdam. [Google Scholar]

Ward Jr, J. H. (1963). Hierarchical grouping to optimize an objective function. Journal of the American statistical association, 58(301):236–244. [Google Scholar]

Xu, R. and Wunsch, D., I. (2005). Survey of clustering algorithms. Neural Networks, IEEE Transactions on, 16(3):645–678. DOI:10.1109/TNN.2005.845141 [Google Scholar]

Xuewei, F., Dongxia, W., Minhuan, H., and Xiaoxia, S. (2014). An approach of discovering causal knowledge for alert correlating based on data mining. In Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pages 57–62. DOI:10.1109/DASC.2014.19 [Google Scholar]

Zuech, R., Khoshgoftaar, T. M., and Wald, R. (2015). Intrusion detection and big heterogeneous data: a survey. Journal of Big Data, 2(1):1–41. DOI:10.1186/s40537-015-0013-4 [Google Scholar]

Article Metrics

Metrics Loading ...

Metrics powered by PLOS ALM

iSys - Revista Brasileira de Sistemas de Informação - CESI/SBC
ISSN Eletrônico: 1984-2902