A Toolkit for Intrusion Alerts Correlation based on Prerequisites and Consequences of Attacks

Abstract

Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs) are usually considered the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional IDSs have two major weaknesses. First, they usually focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. Second, there are a lot of false alerts reported by traditional IDSs, which are mixed with true alerts. Thus, the intrusion analysts or the system administrators are often overwhelmed by the volume of alerts.

Motivated by this observation, we propose a technique to construct high-level attack scenarios by correlating low-level intrusion alerts using their prerequisites and consequences. The prerequisite of an alert specifies what must be true in order for the corresponding attack to be successful, and the consequence describes what is possibly true if the attack indeed succeeds. We conjecture that the alerts being correlated together have a higher possibility to be true alerts than the uncorrelated ones. If this is true, through this correlation, not only can we construct the high-level attack scenarios, but also differentiate between true alerts and false alerts.

In this thesis work, I implement an alert correlation tool based on this framework. It consists of the following components: a knowledge base, an alert preprocessor, an alert correlation engine and a graph output component. To further facilitate analysis of large amounts of intrusion alerts, I develop three utilities, namely adjustable graph reduction, focused analysis, and graph decomposition. I also perform a sequence of experiments to evaluate the aforementioned techniques using DARPA 2000 evaluation datasets and DEFCON 8 CTF dataset. The experimental results show that the proposed techniques are effective. First, we successfully construct attack scenarios behind the low-level alerts; Second, the false alert rates are significantly reduced after the attention is focused on alerts that are correlated with others; Third, the three utilities greatly reduce the complexity of the correlated alerts, while at the same time maintaining the structure of the correlated alerts.