Intrusion Detection with Data Correlation Relation Graph

Intrusion detection systems are designed based on the assumption that the behavior of an intruder is different from a normal user of a system. We show that intrusion detection can be done based on the assumption that the correlation of system events and parameters is changed during an attack to the system. In this paper, we propose a new method in correlating data and events for "network based intrusion detection systems". When an attack occurs, the correlation of security parameters is changed. We propose to use the state of correlation between parameters to detect an attack. First we show how to select effective security parameters for our detection engine with statistical correlation methods. Then, we propose how to build correlation relation graphs (CRG) for the parameters showing higher correlation. Finally we show how the attack may be detected with comparing the CRG parameter pairs for each session with the deviation from the regression line of them. We present our results for detecting a SynFlood attack with this method. We give also the corresponding detection rate and false alarm rate.