| The information security industry has been very active in recent years. In order to counter security threats to computer systems and networks, many technologies have been developed and applied in security operations such as IDS, firewalls, routers. All those security application devices, whether aimed at prevention or detection of attacks, usually generate huge volumes of security audit data. Deploying information security systems can provide in-depth protection for networks. However, large volume of security data which is the output of different security sensors can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies.All the security event correlation methods are classified into four classes according to different problems they solve in this paper. They are aggregation correlation, cross correlation, multi-stage attack correlation, and others. Among these classes, multi-stage attack correlation methods which aim at correlating security alerts and discovering attack strategies are important correlation methods. Up to now, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on complex correlation rule definition and hard-coded domain knowledge that lead to their difficult implementation and limited capabilities of detecting new attack strategies.A new multi-stage attack correlation method is proposed to solve the limitations and the problems based on the analysis of high level alerts. The technique first analyzes multi-stage attack activity patterns with attack sequential pattern mining method, then correlates the alerts which are in accord with certain attack sequential pattern using a quantitative method. The approach uses a RCI aggregation method to first aggregate the raw alerts into high level alerts. The number of the alerts reduced 95.5% after the process of RCI module during the experiment.A reformative Apriori-all algorithm MASP (Mining Attack Sequence Patterns) is also presented to mine attack sequence patterns from candidate attack sequence database. The idea of mining attack sequential patterns comes out from the observation that multi-stage attack strategy taken by the attacker usually has relatively fixed attack pattern and happens in a confined time span. Different attack activities in a multi-stage attack have their own attack sequential pattern. Series of attacker's behaviors launched with certain intent have time consecutive association and appear in ordered sequence. The method only concerns the attack type attribute of the alerts and doesn't rely on any correlation rules. It is easy to implement. Experiment shows the method can mine attack behaviour patterns from history database effectively and the relative execution times of MASP increases as the minimum support decreases and as attack scenario time window expands. The performance of the algorithm impoved 1.7 to 10 times higher after improvement.A new kind of tree structure APT (Attack Pattern Tree) is used to store the attack occurrence patterns mined from the history data. A new concept of correlativity is also proposed which reflects the reliability of two alerts aroused by two contextual attack behaviors occurred in certain time interval belonging to the same attack scenario. Therefore, the goal of real-time attack scenario constructing with the operation of online attack occurrence pattern matching and correlativity calculation is reached. The approaches are evaluated with DARPA 2000 data sets and live data collected from our network center. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack behavior 3.31 steps ahead at an average level. The detection rate reaches to 94%. Further analysis reveals that the miss detection rate is caused mainly because another two kinds of multi-stage attacks are performed during the test which did not appeare in the experiment of pattern mining. More complete history data can be collected to solve the problem and the security manager can also add new type of attack patterns manually to renew the attack sequence pattern database.
|
PDF Full Text Request