Bateni, M.,
Baraani, A.,
Ghorbani, A.A.,
Rezaei, A. International Journal of Innovative Computing, Information and Control (13494198)9(1)pp. 231-255
There are many different approaches to alert correlation such as using correlation rules and prerequisite-consequences, using machine learning and statistical methods and using similarity measures. In this paper, iCorrelator, a new AIS-inspired architecture, is presented. It uses a three-layer architecture that is inspired by three types of responses in the human immune system: the innate immune system's response, the adaptive immune system's primary response, and the adaptive immune system's secondary response. In comparison with other correlators, iCorrelator does not need information about different attacks and their possible relations in order to discover an attack scenario. It uses a very limited number of general rules that are not related to any specific attack scenario. A process of incremental learning is used to encounter new attacks. Therefore, iCorrelator is easy to set up and work dynamically without reconfiguration. As a result of using memory cells and improved alert selection policy, the computational cost of iCorrelator is also acceptable even for online correlation. iCorrelator is evaluated by using the DARPA 2000 dataset and a netForensics honeynet data. The completeness, soundness, false correlation rate and execution time are reported. Results show that iCorrelator is able to extract the attack graphs with acceptable accuracy that is comparable to the best known solutions. © 2013 ICIC International.
International Journal of Network Security (discontinued) (1816353X)15(3)pp. 160-174
One of the most important challenges facing the intrusion detection systems (IDSs) is the huge number of generated alerts. A system administrator will be overwhelmed by these alerts in such a way that she/he cannot manage and use the alerts. The best-known solution is to correlate low-level alerts into a higher level attack and then produce a high-level alert for them. In this paper a new automated alert correlation approach is presented. It employs Fuzzy Logic and Artificial Immune System (AIS) to discover and learn the degree of correlation between two alerts and uses this knowledge to extract the attack scenarios. The proposed system doesn't need vast domain knowledge or rule definition e®orts. To correlate each new alert with previous alerts, the system first tries to find the correlation probability based on its fuzzy rules. Then, if there is no matching rule with the required matching threshold, it uses the AIRS algorithm. The system is evaluated using DARPA 2000 dataset and a netForensics honeynet data. The completeness, soundness and false alert rate are calculated. The average completeness for LL-DoS1.0 and LLDoS2.0, are 0.957 and 0.745 respectively. The system generates the attack graphs with an acceptable accuracy and, the computational complexity of the probability assignment algorithm is linear.
International Journal of Bio-Inspired Computation (17580374)4(3)pp. 181-195
High volumes of low-level alerts that are generated by intrusion detection systems (IDSs) are serious obstacle for using them effectively. These high volumes of alerts overwhelm system administrators in such a way that they cannot manage and interpret them. Alert correlation is used to reduce the number of alerts and increase their level of abstraction. It selects a group of low-level alerts and converts them into a higher level attack and then produces a high-level alert for them. In this paper, a new artificial immune system-based alert correlation system is presented, named AISAC. It learns the correlation probability between each pair of alert types and uses this knowledge to extract the attack scenarios. AISAC does not need intensive domain knowledge and rule definition efforts. It also does not need to manually update the extracted knowledge. The computational cost of learning algorithm is linear, and the initial learning is done by a very limited general data in offline mode. AISAC is evaluated by DARPA 2000 and net Forensics Honeynet data. Results show that although it uses a relatively simple algorithm, it generates the attack graphs with acceptable accuracy. © 2012 Inderscience Enterprises Ltd.