Intrusion Alerts Analysis Using Attack Graphs and Clustering

Patel, Hardik

doi:10.31979/etd.d3wx-m9xx

Cited by 2 publications

(1 citation statement)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In another scenario with lesser distinct outliers the false positives were reduced by 16%. For Contribution 2, it is acknowledged that Patel (2009) first proposed clustering meta-alerts however we improve on this by using more robust data structures and clustering approaches. To achieve this we adapt data structures from graph based analysis.…”

Section: Contributionsmentioning

confidence: 99%

Intrusion alert prioritisation and attack detection using post-correlation analysis

Shittu

Healing

Ghanea-Hercock

et al. 2015

Computers & Security

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version.Permanent repository link: http://openaccess.city.ac.uk/8680/ Link to published version: http://dx. AbstractEvent Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom SATURN programme. In one scenario, our results show that falsepositives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.The proposed framework is also being developed and integrated into a preexisting Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.

show abstract

Section: Contributionsmentioning

confidence: 99%