Information Technology Reference
In-Depth Information
Fig. 1.
Experiment results - aggregated alerts and suspicious alert sets for different aggregation
thresholds with match mode
srcdst
try to filter more alerts in the matching by using a matching mode that is based on alert
categories, e.g., we do not need to match alerts that are related to an attacks categorized
as Denial-of-Service (DoS).
As shown in Figure 1, the aggregation threshold influences the number of suspicious
subsets, as a lot of matched alerts can be filtered. The diagram shows the amount of
aggregated/filtered alerts as blocks and the amount of identified suspicious alert subsets
as line. The overall positive effect of aggregation seen in the diagram is due to the high
similarity of consecutive alerts in our data set. We realized multiple alerts in a row that
are pretty similar and most likely belong to the same communication. These alert clus-
ters can be aggregated without loosing accuracy of correlation result. An aggregation
threshold of
60
s
or larger filters
1246
out of
1836
alerts, i.e.,
67
.
86%
of the matched
alerts can be filtered in the best case. The algorithm determined
398
suspicious alert
sets for this case, which is a significant improvement over the
1010
suspicious alert
sets for the threshold of
2
seconds. Thresholds smaller than
2
seconds do not show
reasonable effect.
5Con lu ion
In this paper, an AG based correlation algorithm is proposed that overcomes the draw-
backs of the algorithm described in [5]. It creates only explicit correlations and enables
the identification of multiple attack scenarios of the same anatomy. The algorithm con-
sists of a mapping of alerts to AG nodes, the alert aggregation function, a function for
building an alert dependency graph, and a function for finding suspicious subsets using
the Floyd-Warshall algorithm and the diameter value. In addition to the formal model
of the correlation algorithm, we analyzed multiple possibilities for the node matching
Search WWH ::
Custom Search