An Intrinsic Graphical Signature Based on Alert Correlation Analysis for Intrusion Detection

Author

Pao, Hsing-Kuo ; Mao, Ching-Hao ; Lee, Hahn-Ming ; Chen, Chi-Dong ; Faloutsos, Christos

Author_Institution

Comput. Sci. & Inf. Eng., Nat. Taiwan Univ. of Sci. & Technol., Taipei, Taiwan

fYear

2010

fDate

18-20 Nov. 2010

Firstpage

102

Lastpage

109

Abstract

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection accuracy. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.

Keywords

digital signatures; graph theory; learning (artificial intelligence); Acer 2007; alert correlation analysis; intrinsic graphical signature; intrusion detection; manifold learning; probabilistic graph-based model; security operation center; Isomap; Markov model; alert correlation; correlation graph; intrusion detection;

fLanguage

English

Publisher

ieee

Conference_Titel

Technologies and Applications of Artificial Intelligence (TAAI), 2010 International Conference on

Conference_Location

Hsinchu City

Print_ISBN

978-1-4244-8668-7

Electronic_ISBN

978-0-7695-4253-9

Type

conf

DOI

10.1109/TAAI.2010.27

Filename

5695439