Abstract :
Safaa O. Al-Mamory Hong Li Zhang School of Computer Science, School of Computer Science, Harbin Institute of technology, Harbin Institute of technology, Harbin, China Harbin, China Safaa_vb@yahoo.com zhl@pact518.hit.edu.cn Abstract Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. These correlation techniques have different strengths and limitations. However, all of them depend heavily on the underlying network intrusion detection systems (NIDSs) and perform poorly when the NIDSs miss critical attacks. In this paper, a system was proposed to represents a set of alerts as subattacks. Then correlates these subattacks and generates abstracted correlation graphs (CGs) which reflect attack scenarios. It also represents attack scenarios by classes of alerts instead of alerts themselves to reduce the rules required and to detect new variations of attacks. The experiments were conducted using Snort as NIDS with different datasets which contain multistep attacks. The resulted CGs imply that our method can correlate related alerts, uncover the attack strategies, and can detect new variations of attacks.
