Using Cluster and Correlation to Construct Attack Scenarios

Using Cluster and Correlation to Construct Attack Scenarios

Nowadays, it becomes more and more important to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). Some methods have been presented to resolve this problem. These methods have different strengths. However, they also have different li...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Yugang Zhang, Shisong Xiao, Xin Zhuang, Xi Peng
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Attack Scenario
Cluster
Clustering algorithms
Computer crime
Computer science
Correlation
Humans
Information analysis
Information security
Intrusion detection
Protection
similarity
Statistics
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Nowadays, it becomes more and more important to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). Some methods have been presented to resolve this problem. These methods have different strengths. However, they also have different limitations. In order to build complicated attack processes accurately, this paper uses cluster and correlation techniques to construct high-level attack scenarios. Fuzzy cluster algorithm based on the similarity of attack attributes is proposed to classify alerts generated by IDSs. And then in every alert class, alert correlation method based on prerequisites and consequences of attacks is used to construct attack scenarios. Finally, to get whole attack graphs, this paper hypothesizes and reasons about attacks possibly missed based on the equality constrain and casual relation between intrusion alerts. The experimental results on LLS DDOS2.0 prove that the method is useful and effective.
DOI:10.1109/CW.2008.94