Alert Correlation through Triggering Events and Common Resources

Dingbang Xu
North Carolina State University

Peng Ning
North Carolina State University

Complementary security systems are widely deployed in networks to
better protect digital assets. Alert correlation is essential to
understand the security threats and take appropriate actions. This
paper proposes a novel correlation approach based on triggering
events and common resources. One of the key concepts in our
approach is triggering events, which are the (low-level) events that
trigger alerts. By grouping alerts that share "similar"
triggering events, a set of alerts can be partitioned into different
clusters such that the alerts in the same cluster may correspond to
the same attack.
Our approach further examines whether the alerts in each cluster are
consistent with relevant network and host configurations,
which help analysts to partially identify the severity of alerts and
clusters. The other key concept in our approach is input and output
resources. Intuitively, input resources are the necessary
resources for an attack to succeed, and output resources are
the resources that an attack supplies if successful. This paper
proposes to model each attack through specifying input and output
resources. By identifying the "common" resources between output
resources of one attack and input resources of another, it discovers
causal relationships between alert clusters and builds attack
scenarios. The preliminary experimental results demonstrate the
usefulness of the proposed techniques.

Keywords: intrusion detection, intrusion alert correlation

Read Paper Read Paper (in PDF)