Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios

Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful a...

Full description

Saved in:
Bibliographic Details
Main Authors: Lagzian, S., Amiri, F., Enayati, A., Gharaee, H.
Format: Conference Proceeding
Language:English
Subjects:
alert correlation
Conferences
Correlation
Data mining
frequent pattern
Intrusion detection
multi-stage attack scenario
Real-time systems
stream mining
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 1014
container_issue
container_start_page 1010
container_title
container_volume
creator Lagzian, S.
Amiri, F.
Enayati, A.
Gharaee, H.
description Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful and high-level information and is effective in decision on time when network intrusions are happened. In this paper, we propose a new framework for real-time alert correlation which consists of two phases: Alert Preprocessing Phase and Scenario Constructing Phase. In our structure, we aggregate alerts into graph structures and then we extract unknown attack scenarios with mining frequent structure patterns. This method is based on the observation that most alerts have frequent and sequential characteristic, since we can use frequent item set mining methods for extracting attack scenarios. Our algorithm is efficient in memory and time consumption. For evaluation of our algorithm we used DARPA2000 dataset. The results show that our proposed algorithm can extract the attack scenarios exactly.
doi_str_mv 10.1109/ISTEL.2012.6483134
format conference_proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6483134</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6483134</ieee_id><sourcerecordid>6483134</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-53245c159a9eea7e49c4274413ac402506e8079559ed0a1ccf3bbeb0fc3d046a3</originalsourceid><addsrcrecordid>eNo1kM1KAzEUhSMiqLUvoJu8wIw3f5NmKaXVwoAL604odzJ3SnR-NElB396CdXU48J1vcRi7FVAKAe5-87Jd1aUEIctKL5RQ-ozNnV0IXVklwSp1zq7_i5SXbJ7SOwAcxxYqccXe1pG-DjRmHjINPFHmQxjDuC8aTNRy7Clm7qcYqcccppF3U-T0nSP6fMT4cOhzKFLGPXHMGf0HT55GjGFKN-yiwz7R_JQz9rpebZdPRf38uFk-1EUQ1uTCKKmNF8ahI0JL2nktrdZCodcgDVS0AOuMcdQCCu871TTUQOdVC7pCNWN3f95ARLvPGAaMP7vTIeoXoKFVqw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Lagzian, S. ; Amiri, F. ; Enayati, A. ; Gharaee, H.</creator><creatorcontrib>Lagzian, S. ; Amiri, F. ; Enayati, A. ; Gharaee, H.</creatorcontrib><description>Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful and high-level information and is effective in decision on time when network intrusions are happened. In this paper, we propose a new framework for real-time alert correlation which consists of two phases: Alert Preprocessing Phase and Scenario Constructing Phase. In our structure, we aggregate alerts into graph structures and then we extract unknown attack scenarios with mining frequent structure patterns. This method is based on the observation that most alerts have frequent and sequential characteristic, since we can use frequent item set mining methods for extracting attack scenarios. Our algorithm is efficient in memory and time consumption. For evaluation of our algorithm we used DARPA2000 dataset. The results show that our proposed algorithm can extract the attack scenarios exactly.</description><identifier>ISBN: 1467320722</identifier><identifier>ISBN: 9781467320726</identifier><identifier>EISBN: 9781467320733</identifier><identifier>EISBN: 9781467320719</identifier><identifier>EISBN: 1467320714</identifier><identifier>EISBN: 1467320730</identifier><identifier>DOI: 10.1109/ISTEL.2012.6483134</identifier><language>eng</language><publisher>IEEE</publisher><subject>alert correlation ; Conferences ; Correlation ; Data mining ; frequent pattern ; Intrusion detection ; multi-stage attack scenario ; Real-time systems ; stream mining</subject><ispartof>6th International Symposium on Telecommunications (IST), 2012, p.1010-1014</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6483134$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2058,27925,54920</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6483134$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Lagzian, S.</creatorcontrib><creatorcontrib>Amiri, F.</creatorcontrib><creatorcontrib>Enayati, A.</creatorcontrib><creatorcontrib>Gharaee, H.</creatorcontrib><title>Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios</title><title>6th International Symposium on Telecommunications (IST)</title><addtitle>ISTEL</addtitle><description>Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful and high-level information and is effective in decision on time when network intrusions are happened. In this paper, we propose a new framework for real-time alert correlation which consists of two phases: Alert Preprocessing Phase and Scenario Constructing Phase. In our structure, we aggregate alerts into graph structures and then we extract unknown attack scenarios with mining frequent structure patterns. This method is based on the observation that most alerts have frequent and sequential characteristic, since we can use frequent item set mining methods for extracting attack scenarios. Our algorithm is efficient in memory and time consumption. For evaluation of our algorithm we used DARPA2000 dataset. The results show that our proposed algorithm can extract the attack scenarios exactly.</description><subject>alert correlation</subject><subject>Conferences</subject><subject>Correlation</subject><subject>Data mining</subject><subject>frequent pattern</subject><subject>Intrusion detection</subject><subject>multi-stage attack scenario</subject><subject>Real-time systems</subject><subject>stream mining</subject><isbn>1467320722</isbn><isbn>9781467320726</isbn><isbn>9781467320733</isbn><isbn>9781467320719</isbn><isbn>1467320714</isbn><isbn>1467320730</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2012</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNo1kM1KAzEUhSMiqLUvoJu8wIw3f5NmKaXVwoAL604odzJ3SnR-NElB396CdXU48J1vcRi7FVAKAe5-87Jd1aUEIctKL5RQ-ozNnV0IXVklwSp1zq7_i5SXbJ7SOwAcxxYqccXe1pG-DjRmHjINPFHmQxjDuC8aTNRy7Clm7qcYqcccppF3U-T0nSP6fMT4cOhzKFLGPXHMGf0HT55GjGFKN-yiwz7R_JQz9rpebZdPRf38uFk-1EUQ1uTCKKmNF8ahI0JL2nktrdZCodcgDVS0AOuMcdQCCu871TTUQOdVC7pCNWN3f95ARLvPGAaMP7vTIeoXoKFVqw</recordid><startdate>201211</startdate><enddate>201211</enddate><creator>Lagzian, S.</creator><creator>Amiri, F.</creator><creator>Enayati, A.</creator><creator>Gharaee, H.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201211</creationdate><title>Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios</title><author>Lagzian, S. ; Amiri, F. ; Enayati, A. ; Gharaee, H.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-53245c159a9eea7e49c4274413ac402506e8079559ed0a1ccf3bbeb0fc3d046a3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2012</creationdate><topic>alert correlation</topic><topic>Conferences</topic><topic>Correlation</topic><topic>Data mining</topic><topic>frequent pattern</topic><topic>Intrusion detection</topic><topic>multi-stage attack scenario</topic><topic>Real-time systems</topic><topic>stream mining</topic><toplevel>online_resources</toplevel><creatorcontrib>Lagzian, S.</creatorcontrib><creatorcontrib>Amiri, F.</creatorcontrib><creatorcontrib>Enayati, A.</creatorcontrib><creatorcontrib>Gharaee, H.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Lagzian, S.</au><au>Amiri, F.</au><au>Enayati, A.</au><au>Gharaee, H.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios</atitle><btitle>6th International Symposium on Telecommunications (IST)</btitle><stitle>ISTEL</stitle><date>2012-11</date><risdate>2012</risdate><spage>1010</spage><epage>1014</epage><pages>1010-1014</pages><isbn>1467320722</isbn><isbn>9781467320726</isbn><eisbn>9781467320733</eisbn><eisbn>9781467320719</eisbn><eisbn>1467320714</eisbn><eisbn>1467320730</eisbn><abstract>Intrusion detection systems are one of the most useful security tools in computer networks. Although these Systems, are successful security technologies but they are faced with some problems. Correlation of alerts is one of the methods to deal with these problems. Correlation engine extract useful and high-level information and is effective in decision on time when network intrusions are happened. In this paper, we propose a new framework for real-time alert correlation which consists of two phases: Alert Preprocessing Phase and Scenario Constructing Phase. In our structure, we aggregate alerts into graph structures and then we extract unknown attack scenarios with mining frequent structure patterns. This method is based on the observation that most alerts have frequent and sequential characteristic, since we can use frequent item set mining methods for extracting attack scenarios. Our algorithm is efficient in memory and time consumption. For evaluation of our algorithm we used DARPA2000 dataset. The results show that our proposed algorithm can extract the attack scenarios exactly.</abstract><pub>IEEE</pub><doi>10.1109/ISTEL.2012.6483134</doi><tpages>5</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISBN: 1467320722
ispartof 6th International Symposium on Telecommunications (IST), 2012, p.1010-1014
issn
language eng
recordid cdi_ieee_primary_6483134
source IEEE Electronic Library (IEL) Conference Proceedings
subjects alert correlation
Conferences
Correlation
Data mining
frequent pattern
Intrusion detection
multi-stage attack scenario
Real-time systems
stream mining
title Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T21%3A28%3A45IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Frequent%20item%20set%20mining-based%20alert%20correlation%20for%20extracting%20multi-stage%20attack%20scenarios&rft.btitle=6th%20International%20Symposium%20on%20Telecommunications%20(IST)&rft.au=Lagzian,%20S.&rft.date=2012-11&rft.spage=1010&rft.epage=1014&rft.pages=1010-1014&rft.isbn=1467320722&rft.isbn_list=9781467320726&rft_id=info:doi/10.1109/ISTEL.2012.6483134&rft.eisbn=9781467320733&rft.eisbn_list=9781467320719&rft.eisbn_list=1467320714&rft.eisbn_list=1467320730&rft_dat=%3Cieee_6IE%3E6483134%3C/ieee_6IE%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i175t-53245c159a9eea7e49c4274413ac402506e8079559ed0a1ccf3bbeb0fc3d046a3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6483134&rfr_iscdi=true