Title :
Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies
Author :
Ma, Jie ; Li, Zhi-Tang ; Li, Wei-ming
Author_Institution :
Comput. Sci. Dept., Huazhong Univ. of Sci. & Technol., Wuhan
Abstract :
Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.
Keywords :
computer networks; real-time systems; telecommunication security; attack behavior; attack strategy discovery; correlation technique; multistage attack; real-time alert stream clustering; real-time system; signature based network intrusion detection system; Clustering algorithms; Computer networks; Computer science; Computer security; Correlation; Counting circuits; Fuzzy systems; Intrusion detection; Real time systems;
Conference_Titel :
Fuzzy Systems and Knowledge Discovery, 2008. FSKD '08. Fifth International Conference on
Conference_Location :
Jinan Shandong
Print_ISBN :
978-0-7695-3305-6
DOI :
10.1109/FSKD.2008.522
