A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.

Multistep attack detection and alert correlation in intrusion detection systems / Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele. - STAMPA. - 200:(2011), pp. 101-110. (Intervento presentato al convegno 2011 International Conference on Information Security and Assurance, ISA 2011 tenutosi a Brno, cze nel 2011-August) [10.1007/978-3-642-23141-4_10].

Multistep attack detection and alert correlation in intrusion detection systems

MANGANIELLO, FABIO;MARCHETTI, Mirco;COLAJANNI, Michele
2011

Abstract

A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.
2011
2011 International Conference on Information Security and Assurance, ISA 2011
Brno, cze
2011-August
2-s2.0-80052331356
200
101
110
Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele
Multistep attack detection and alert correlation in intrusion detection systems / Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele. - STAMPA. - 200:(2011), pp. 101-110. (Intervento presentato al convegno 2011 International Conference on Information Security and Assurance, ISA 2011 tenutosi a Brno, cze nel 2011-August) [10.1007/978-3-642-23141-4_10].
File in questo prodotto:
File Dimensione Formato  
isa2011.pdf

Open access

Tipologia: Versione dell'autore revisionata e accettata per la pubblicazione
Dimensione 478.85 kB
Formato Adobe PDF
Visualizza/Apri
478.85 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11380/768994
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 23
  • ???jsp.display-item.citation.isi??? ND
social impact