Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Shittu, R.; Healing, A.; Ghanea-Hercock, R.; Bloomfield, R. E.; Rajarajan, M. (2015)
Publisher: Elsevier
Languages: English
Types: Article
Subjects: QA75
Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.\ud \ud We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.\ud \ud We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom Security Practice Team. In one scenario, our results show that false-positives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.\ud \ud The proposed framework is also being developed and integrated into a pre-existing Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • Aggarwal, C. C., Zhao, Y., Yu, P. S., 2010. On Clustering Graph Streams. Proceedings of the 2010 SIAM International Conference on Data Mining, 478{489.
    • Ahmadinejad, S. H., Jalili, S., 2009. Alert Correlation Using Correlation Probability Estimation and Time Windows. 2009 International Conference on Computer Technology and Development (1), 170{175.
    • Alienvault, 2013. AlienVault Uni ed Security Management. URL http://www.alienvault.com/solutions/siem-event-correlation
    • Alireza Sadighian, J. M. F., 2013. ONTIDS: A highly exible context-aware and ontology-based alert correlation framework.
    • Alsubhi, K., Aib, I., Boutaba, R., 2012. FuzMet : a fuzzy-logic based alert prioritization engine for intrusion detection systems. International Journal of Network Management 22 (4), 263{284.
    • Alsubhi, K., Al-Shaer, E., Boutaba, R., 2008. Alert prioritization in Intrusion Detection Systems. NOMS 2008 - 2008 IEEE Network Operations and Management Symposium, 33{40.
    • Benferhat, S., Boudjelida, A., Tabia, K., Drias, H., 2013. An intrusion detection and alert correlation approach based on revising probabilistic classi ers using expert knowledge. Applied intelligence 38 (4), 520{540.
    • Breunig, M. M., Kriegel, H.-p., Ng, R. T., Sander, J., 2000. LOF : Identifying Density-Based Local Outliers. Proceedings Of The 2000 Acm Sigmod International Conference On Management Of Data, 1{12.
    • Cedric Michel, L. M., 2001. Adele: An Attack Description Language For Knowledge-Based Intrusion Detection. Trusted Information, 353{368.
    • Chen, S., Leung, H., Dondo, M., May 2014. Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts. In: Braun, J. J. (Ed.), SPIE Sensing Technology + Applications. International Society for Optics and Photonics, p. 912107.
    • Cheung, S., Fong, M. W., Ave, R., Park, M., 2003. Modeling Multistep Cyber Attacks for Scenario Recognition. In DARPA Information Survivability Conference and Exposition (DISCEX III) (DISCEX III), 284{292.
    • Cuppens, F., Ortalo, R., Oct. 2000. LAMBDA: A Language to Model a Database for Detection of Attacks. Recent advances in intrusion detection. Springer Berlin Heidelberg, 197{216.
    • Dain, O., Cunningham, R. K., 2001. Fusing a Heterogeneous Alert Stream into Scenarios. In Proceedings of the 2001 ACM workshop on Data Mining for Security Applications, 1{13.
    • Debar, H., Wespi, A., 2001. Aggregation and Correlation of Intrusion-Detection Alerts. Recent Advances in Intrusion Detection., 85{103.
    • Ester, M., Kriegel, H.-p., Xu, X., Miinchen, D., 1996. A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. KDD 96.
    • Khan, A., Yan, X., Wu, K.-L., 2010. Towards proximity pattern mining in large graphs. Proceedings of the 2010 international conference on Management of data - SIGMOD '10, 867.
    • Lagzian, S., 2012. Frequent Item set mining-based Alert Correlation for Extracting multi-stage Attack Scenarios. IEEE Telecommunications (IST), 2012 Sixth International Symposium, 1010{1014.
    • Marchetti, M., Colajanni, M., Manganiello, F., 2011. Identi cation of correlated network intrusion alerts Pseudo-Bayesian. Cyberspace Safety and Security (CSS), 2011 Third International Workshop on, 15{20.
    • Ning, P., Reeves, D. S., Cui, Y., 2001. Correlating Alerts Using Prerequisites of Intrusions. Tech. rep., North Carolina State University, Raleigh NC,.
    • Ning, P., Xu, D., 2003. Learning attack strategies from intrusion alerts. Proceedings of the 10th ACM conference on Computer and communication security - CCS '03, 200.
    • Noel, S., Jajodia, S., 2007. Attack Graphs for Sensor Placement , Alert Prioritization , and Attack Response. Cyberspace Research Workshop, 1{8.
    • Pokrajac, D., Hartford, E., 2007. Incremental Local Outlier Detection for Data Streams. Computational Intelligence and Data Mining, 2007. CIDM 2007. IEEE Symposium on (April).
    • Porras, P. A., Fong, M. W., Valdes, A., 2002. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. Recent Advances in Intrusion Detection (Springer Berlin Heidelberg), 95{114.
    • Qin, X., 2005. A Probabilistic-Based Framework for INFOSEC Alert Correlation. Ph.D. thesis, Georgia Institute of Technology.
    • Ren, H., Stakhanova, N., Ghorbani, A. A., 2010. An Online Adaptive Approach to Alert Correlation. Proceedings of the 7th international conference on Detection of Intrusions and malware, and vulnerability assessment (DIMVA), 153{172.
    • Rowlingson, R., Healing, A., Shittu, R., Matthews, S. G., Ghanea-Hercock, R., 2013. Visual Analytics in the Cyber Security Operations Centre. Proceedings of The Information Systems Technology Panel Symposium on Visual Analytics.
    • Sadoddin, R., Ghorbani, A. a., May 2009. An incremental frequent structure mining framework for real-time alert correlation. Computers & Security 28 (3- 4), 153{173.
    • Salah, S., Macia-Fernandez, G., D az-Verdejo, J. E., Jan. 2013. A model-based survey of alert correlation techniques. Computer Networks.
    • Shapiro, L. G., Haralick, R. M., May 1981. Structural descriptions and inexact matching. IEEE transactions on pattern analysis and machine intelligence 3 (5), 504{19.
    • Shittu, R., Healing, A., Ghanea-hercock, R., Bloom eld, R., 2014. OutMet : A New Metric for Prioritising Intrusion Alerts using Correlation and Outlier Analysis. 19th IEEE Conference on Local Computer Networks.
    • Steven Eckmann , G. V., 2002. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10 (1), 71{103.
    • Sundaramurthy, S. C., Zomlot, L., Ou, X., 2011. Practical IDS alert correlation in the face of dynamic threats. International Conference on Security and Management (SAM'11).
    • Tekhov, R., 2009. Graph Edit Distance Project. Tech. rep.
    • Valdes, A., Skinner, K., 2001. Probabilistic Alert Correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 54{68.
    • Verizon, 2013. Data Breach Investigations Report. URL http://www.verizonenterprise.com/DBIR/2013/
    • Winter, H., 2012. System security assessment using a cyber range. 7th IET International Conference on System Safety, incorporating the Cyber Security Conference 2012, 41{41.
    • Yan, X., 2002. gSpan: graph-based substructure pattern mining. 2002 IEEE International Conference on Data Mining, 2002. Proceedings. (d), 721{724.
    • Zali, Z., Hashemi, M. R., Saidi, H., Aug. 2013. Real-Time Intrusion Detection Alert Correlation and Attack Scenario Extraction Based on the PrerequisiteConsequence Approach.
    • Zomlot, L., Sundaramurthy, S. C., Luo, K., Ou, X., Rajagopalan, S. R., 2011. Prioritizing intrusion analysis using Dempster-Shafer theory. Proceedings of the 4th ACM workshop on Security and arti cial intelligence - AISec '11, 59.
  • Inferred research data

    The results below are discovered through our pilot algorithms. Let us know how we are doing!

    Title Trust
  • Discovered through pilot similarity algorithms. Send us your feedback.

Share - Bookmark

Cite this article