A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.
Multistep attack detection and alert correlation in intrusion detection systems / Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele. - STAMPA. - (2011), pp. 101-110. (Intervento presentato al convegno 5th International Conference on Information Security and Assurance (ISA 2011) tenutosi a Brno nel 2011-August) [10.1007/978-3-642-23141-4_10].
Multistep attack detection and alert correlation in intrusion detection systems
MANGANIELLO, FABIO;MARCHETTI, Mirco;COLAJANNI, Michele
2011
Abstract
A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.
Pubblicazioni consigliate
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris
