Real-time attack scenario detection via intrusion detection alert correlation

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. The main purpose of this paper is to propose a new IDS alert correlation method to detect attack scenarios in real-time. The proposed method is based on causal approach due to the strength of causal methods in practice. Most of causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method the knowledge base of attack patterns is represented in a graph model called Causal Relations Graph. In offline, we construct some trees related to alerts probable correlations. In real-time for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Thus processing time of each alert decreases significantly. In addition, the proposed method is immune to the deliberately slowed attacks. To verify the proposed method, it was implemented in C++ and we used DARPA2000 dataset to test it. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the run time.