• DocumentCode
    1626573
  • Title

    Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios

  • Author

    Lagzian, S. ; Amiri, F. ; Enayati, A. ; Gharaee, Hossein

  • Author_Institution
    Network Security Group, Iran Telecommun. Res. Center, Tehran, Iran
  • fYear
    2012
  • Firstpage
    1010
  • Lastpage
    1014
  • Abstract
    Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful and high-level information and is effective in decision on time when network intrusions are happened. In this paper, we propose a new framework for real-time alert correlation which consists of two phases: Alert Preprocessing Phase and Scenario Constructing Phase. In our structure, we aggregate alerts into graph structures and then we extract unknown attack scenarios with mining frequent structure patterns. This method is based on the observation that most alerts have frequent and sequential characteristic, since we can use frequent item set mining methods for extracting attack scenarios. Our algorithm is efficient in memory and time consumption. For evaluation of our algorithm we used DARPA2000 dataset. The results show that our proposed algorithm can extract the attack scenarios exactly.
  • Keywords
    computer network security; data mining; DARPA2000 dataset; alert preprocessing phase; attack scenario extraction; computer networks; correlation engine; frequent item set mining methods; frequent item set mining-based alert correlation; graph structures; high-level information; memory consumption; mining frequent structure patterns; multistage attack scenarios; network intrusions; real-time alert correlation; scenario constructing phase; security tools; time consumption; Conferences; Correlation; Data mining; Databases; Intrusion detection; Real-time systems; alert correlation; frequent pattern; multi-stage attack scenario; stream mining;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Telecommunications (IST), 2012 Sixth International Symposium on
  • Conference_Location
    Tehran
  • Print_ISBN
    978-1-4673-2072-6
  • Type

    conf

  • DOI
    10.1109/ISTEL.2012.6483134
  • Filename
    6483134