Information Technology Reference
In-Depth Information
Security Alert Correlation Using Growing Neural Gas
Francisco José Mora-Gimeno, Francisco Maciá-Pérez, Iren Lorenzo-Fonseca,
Juan Antonio Gil-Martínez-Abarca, Diego Marcos-Jorquera,
and Virgilio Gilart-Iglesias
Department of Computer Technology,
University of Alicante, AP.99-03080, Alicante, Spain
{fjmora,pmacia,ilorenzo,gil,dmarcos,vgilart}@dtic.ua.es
Abstract.
The use of alert correlation methods in Distributed Intrusion Detec-
tion Systems (DIDS) has become an important process to address some of the
current problems in this area. However, the efficiency obtained is far from op-
timal results. This paper presents a novel approach based on the integration of
multiple correlation methods by using the neural network Growing Neural Gas
(GNG). Moreover, since correlation systems have different detection capabili-
ties, we have modified the learning algorithm to positively weight the best
performing systems. The results show the validity of the proposal, both the mul-
tiple integration approach using GNG neural network and the weighting based
on efficiency.
Keywords:
Alert correlation, Neural networks, Intrusion detection, Growing
neural gas.
1 Introduction
When an intrusion detection system (IDS) detects an attack - or any other malicious
activity - an alert is reported to the system administrator. However, an attack will
rarely occurs in isolation, but belongs to a higher scenario composed of a series of
attacks [1]. The logical connection between several alerts belonging to the same sce-
nario, the large number of alerts that makes it impossible to manual processing and
the tendency to include in the analysis alerts from other security systems different
than the IDS, are three of the reasons for the use of alert correlation mechanisms [2].
The correlation methods are generally classified mainly into three types:
specifica-
tion of scenarios
, which defines the whole scenarios using an attack description lan-
guage and modeling the correlation process as a pattern recognition problem [3];
another approach defines the
prerequisites and consequences
of each individual at-
tack and, in the correlation process, the approach relates consequences of a previous
attack with prerequisites of a subsequent [4]; and finally, the
clustering
approach is
based on finding similarities or relationships between attributes of the alerts, so that
the alerts with similar values on their attributes belong to the same class, and there-
fore, to the same scenario [2].
Each of the above approaches has different features. For example, the first ap-
proach can efficiently detect known scenarios, but is unable to correlate new scena-
rios. By contrast, clustering methods can detect unknown attacks, but produce a high
Search WWH ::
Custom Search