Facilitating Alert Correlation Using Resource Trees

Abstract

With the steady increase in the number of attacks against networks and hosts, security systems such as intrusion detection systems are widely deployed into networks. Intrusion detection systems may flag large numbers of alerts, where false alerts are mixed with true ones. To understand the security threats and take appropriate actions, it is necessary to perform alert correlation. One class of alert correlation methods is the prerequisite and consequence based approach, where the prerequisite of an attack is the necessary condition to launch the attack, and the consequence of an attack is the possible outcome if the attack succeeds. Through matching the consequence of earlier attacks with the prerequisites of later ones, attack scenarios can be discovered. However, one limitation of these approaches is that the specification of prerequisites and consequences for different alert types usually is time-consuming and error-prone. To address this limitation, this thesis proposes a resource tree based method to facilitate the specification of prerequisites and consequences. Attacks can be viewed from the perspective of resources. Example resources include various network services and privileges. This thesis further organizes resources into trees, where the nodes in the trees are labelled with conditions (represented by predicates). To specify the prerequisite and consequence of an attack, it is required to look for the desirable resource trees related to the attack's prerequisite and consequence, then traverse the trees to find the appropriate nodes, and finally select the suitable predicates to put into the prerequisite and consequence. This approach is simple and less expert-dependent. The usability study and comprehensiveness study (with more than 3000 alert types) demonstrate the effectiveness of this approach. Correlation results with different datasets further show that prerequisites and consequences defined using our methodology can be effectively used for alert correlation.