Information Technology Reference
In-Depth Information
new methods and technologies of these components. IDMEF [9] and CVE [10] are
important efforts in the field of
Normalization
. Approaches of aggregation are mostly
based on similarity of alerts [11] or generalization hierarchies [12]. The correlation al-
gorithms [8] can be classified as:
Scenario-based correlation
[13,14],
Rule-based corre-
lation
[15],
Statistical correlation
[16], and
Temporal correlation
[17,18]. The proposed
approach can be classified as
Scenario-based correlation
: attack scenarios are specified
by a formal language and alerts are correlated, if they can be combined to one of the
known scenarios, i.e., alerts are matched in a specific path of the graph which can be
considered as attack scenario (e.g., [5]). False alert reduction can be done by using such
techniques as data mining [19] or fuzzy techniques [20]. Attack strategy analysis of-
ten depends on reasoning and prediction of attacks missed by the IDS [21]. In terms
of Prioritization, the alerts are categorized based on their severity, e.g., using attack
ranks [22]. To solve problems of alert correlation, a variety of disciplines are used, e.g.,
machine learning, data mining [19], or fuzzy techniques [20].
An Attack graph based correlation has been introduced in [5]. This approach maps
alerts into the AG for correlation, and provides possibilities for hypothesizing and pre-
diction of alerts. It uses a matching function which maps the alerts by comparing the
alert type, the source, and the target address of each alert. Furthermore, this approach
distinguishes between implicit and explicit correlation. It significantly reduces the num-
ber of explicit correlations by considering only the last alert in a set of similar alerts,
i.e., the alert type, the source, as well as the target are identical. The explicitly correlated
alerts are stored in a data structure called Queue Graph (QG) which tries to reduce the
memory consumption.
3
Towards High-Quality Attack-Graph-Based Correlation
In this paper, a modified AG based correlation algorithm is proposed which only cre-
ates explicit correlations. Implicit correlations as described in [5] make it difficult to
use the correlated alerts in the graph for forensic analysis of similar attack scenarios.
Furthermore, the hardware environment used for the In-Memory databases provides
machines with huge amounts of main memory which downgrades the priority of mem-
ory efficiency for this work. The algorithms consists of five steps, while each step can be
parameterized to fine tune the results: 1) preparation, 2) alert mapping, 3) aggregation
of alerts, 4) building of an alert dependency graph, and 5) searching for alert subsets
that are related. In the preparation phase, all necessary information is loaded, i.e., the
system and network information is gathered, the database with alert classifications is
imported, and the AG for the network is loaded. We use the MulVAL [3] tool to gener-
ate an AG which describes the corresponding system and network information for the
target network. The algorithm is based on a set of basic definitions.
3.1
Definitions
Let
T
be the set of all timestamps,
H
be the set of possible hosts, and
C
be the set of
classifications.
A
can be defined as:
A
=
T ×H×H×C
(1)
Search WWH ::
Custom Search