Information Technology Reference
In-Depth Information
In this paper, we design an AG based correlation algorithm to overcome the above
mentioned drawbacks of the algorithm proposed in [5]. By running the algorithm on
hardware[6] with
TB of main memory on a single machine, we can make all the
correlations between alerts explicit. Therefore, the algorithm is capable of identifying
multiple attack scenarios of the same anatomy using an attack graph. The algorithm
consists of a mapping of alerts to nodes in the attack graph, an alert aggregation, a
building of an alert dependency graph, and a function for finding suspicious alert sub-
sets. Apart from the formal model of the correlation algorithm, we analyze multiple
possibilities for AG node matching and aggregation by parameterizing the algorithm.
A proof-of-concept implementation is tested using a real data set with alerts from our
university network.
The rest of the paper is organized as follows. Section 2 provides an overview on dif-
ferent approaches of alert correlation. In Section 3, the proposed correlation algorithm
is described by a formal model. Its capabilities for detecting multiple attack scenarios is
discussed. Section 4 presents some experiments and discusses the influence of selected
parameters for the algorithm. Section 5 provides a short summary of the contributions
and future works.
2
2
Alert Correlation
The alerts created by the distributed sensors are usually gathered by a central man-
agement system and processed by correlation algorithms. The quality of a correlation
depends on accuracy and speed. The speed depicts how many correlations can be found
in a certain amount of time. The accuracy depicts how many of the identified correla-
tions represent real existing relations between these alerts. Due to more complex attacks
and large scale networks, the amount of alerts increases significantly which yields the
requirement for improved quality of the correlation. The correlation accuracy depends
on the used correlation algorithm. It is obvious that using environmental information
can help to improve the quality of alert correlation. Environmental information can be
host addresses, running services, active users, network configurations, existing policies,
known vulnerabilities in general, and existing vulnerabilities on hosts. To represent the
listed information, AG are usually constructed for further processing and analysis. At-
tack Graphs have been proposed as a formal way to simplify the modeling of complex
attacking scenarios. Based on the interconnection of single attack steps, they describe
multi-step attacks. Attack Graphs not only describe one possible attack, but many po-
tential ways for an attacker to reach a goal. In an attack graph, each node represents a
single attack step in a sequence of steps. Each step may require a number of previous at-
tack steps before it can be executed, denoted by incoming edges, and on the other hand
may lead to several possible next steps, denoted by outgoing edges. With the help of at-
tack graphs most of possible ways for an attacker to reach a goal can be computed. This
takes the burden from security experts to evaluate hundreds and thousands of possible
options. At the same time, representing attack graphs visually allows security personal
a faster understanding of the problematic pieces of a network [7,4].
The alert correlation framework usually consists of several components [8]:
Normal-
ization
,
Aggregation (Clustering)
,
Correlation
,
False Alert Reduction
,
Attack Strategy
Analysis
,and
Prioritization
. Over the last years, alert correlation research focused on
Search WWH ::
Custom Search