Loading...

A Hybrid Approach of Similarity-based and Scenario-based Algorithms in Alert Correlation

Sepahi, Ahmad | 2014

800 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 46931 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Jalili, Rasoul
  7. Abstract:
  8. The rapid growth and increase in complexity of modern network and communication systems have made a demand for protecting organizations’ sensitive data and resources from malicious intrusions. Attackers and intruders perform malicious attacks by exploiting vulnerabilities, weaknesses, and flaws in computer systems using novel and advanced techniques. Traditional security mechanisms, such as authentication, access control, and firewall cannot prevent these attacks. Therefore, Intrusion detection systems (IDSs) are employed to detect abnormal activities and monitor network traffic and hosts’ events. These systems suffer from several limitations, including generating a huge amount of alerts and false positives, not reporting some attacks, and low level view of network attacks. One of the most popular approaches for analyzing alerts and discovering abnormal behavior is alert correlation. In this thesis, a hybrid approach to analyze alerts, reduce amount of alerts, filter false positives, and produce a high level view of the security perspective has been presented. The proposed method is a hybrid of statistical, scenario-based, and similarity-based algorithms. Known attacks could be detected using attack pattern knowledgebase. Similarity-based algorithms can discover unknown and new attack patterns. Statistical algorithms are applied to predict the next step of attacks and creating new attack scenarios. By predicting the next steps of the attacker, we can take proper action before the attack is completely accomplished. Finally, a report of new attack patterns will be presented to security expert to verify. After verification, the attack pattern knowledgebase will be updated automatically. The approach has been evaluated using a series of publicly available datasets and a dataset collected during performing an attack in real-life. The results show that our hybrid approach which we name one path correlation is capable of finding new attack patterns and anticipating next steps of attackers. In addition, vulnerability correlation and filtering components have a great impact on reducing the amount of false positive and non-relevant alerts
  9. Keywords:
  10. Alert Correlation ; Intrusion Detection System ; Scenario-based Approximation ; Similarity-based Algorithm ; Statistical Algorithm

 Digital Object List

 Bookmark

No TOC