Skip to main content
SpringerLink
Log in

Alert Correlation Algorithms: A Survey and Taxonomy

  • Conference paper
Cyberspace Safety and Security (CSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8300))

Included in the following conference series:

Abstract

Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the Problem of IDS False Alarms: An Experimental Study Using Snort. In: Proceedings of the IFIP TC 11 23rd International Information Security Conference, pp. 253–267 (2008)

    Google Scholar 

  2. Pouget, F., Dacier, M.: Alert Correlation: Review of the state of the art. EURECOM, Technical Report (2003)

    Google Scholar 

  3. Sadoddin, R., Ghorbani, A.: Alert correlation survey: Framework and techniques. In: Proceedings of ACM International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (2006)

    Google Scholar 

  4. Al-Mamory, S.O., Zhang, H.: A survey on IDS alerts processing techniques. In: Proceeding of the 6th WSEAS International Conference on Information Security and Privacy (ISP), pp. 69–78 (2007)

    Google Scholar 

  5. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  MATH  Google Scholar 

  7. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC (2001)

    Google Scholar 

  8. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 146–169 (2004)

    Google Scholar 

  9. Elshoush, H.T., Osman, I.M.: Intrusion Alert Correlation Framework: An Innovative Approach. In: IAENG Transactions on Engineering Technologies, pp. 405–420 (2013)

    Google Scholar 

  10. Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceedings of 17th Annual Computer Security Applications Conference (ACSAC), pp. 12–21 (2001)

    Google Scholar 

  11. Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Journal Name 2(3), 111–138 (2002)

    Google Scholar 

  12. Al-Mamory, S.O., Zhang, H.: IDS alerts correlation using grammar-based approach. Journal of Computer Virology 5(4), 271–282 (2009)

    Article  Google Scholar 

  13. Dain, O.M., Cunningham, R.K.: Building scenarios from a heterogeneous alert stream. In: Proceedings of IEEE Workshop on Information Assurance and Security (2001)

    Google Scholar 

  14. Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)

    Google Scholar 

  15. Smith, R., Japkowicz, N., Dondo, M., Mason, P.: Using unsupervised learning for network alert correlation. In: Advances in Artificial Intelligence, pp. 308–319 (2008)

    Google Scholar 

  16. Smith, R., Japkowicz, N., Dondo, M.: Clustering using an autoassociator: A case study in network event correlation. In: Proceedings of the 17th IASTED International Conference on Parallel and Distributed Computing and Systems (2008)

    Google Scholar 

  17. Pietraszek, T., Tanner, A.: Data mining and machine learning towards reducing false positives in intrusion detection. Information Security 10(3), 169–183 (2005)

    Google Scholar 

  18. Pietraszek, T.: Using adaptive alert classification to reduce false positives in intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  19. Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the Workshop on New Security Paradigms, pp. 31–38 (2001)

    Google Scholar 

  20. Ning, P., Cui, Y.: An intrusion alert correlator based on pre-requisites of intrusions (2002)

    Google Scholar 

  21. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM on Computer and Communications Security, pp. 245–254 (2002)

    Google Scholar 

  22. Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC) 7(2), 274–318 (2004)

    Article  Google Scholar 

  23. Cuppens, F., Autrel, F., Miege, A., Benferhat, S.: Correlation in an intrusion detection process. In: Proceedings SEcurite des Communications sur Internet (SECI), pp. 153–171 (2002)

    Google Scholar 

  24. Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 200–209 (2003)

    Google Scholar 

  25. Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)

    Chapter  MATH  Google Scholar 

  26. Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Towards automating intrusion alert analysis. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2003)

    Google Scholar 

  27. Ning, P., Xu, D.: Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 7(4), 591–627 (2004)

    Article  Google Scholar 

  28. Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium, NDSS (2004)

    Google Scholar 

  29. Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about complementary intrusion evidence. In: 20th Annual IEEE Computer Security Applications Conference (ACSAC), pp. 39–48 (2004)

    Google Scholar 

  30. Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: De Capitani di Vimercati, S.,Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 247–266. Springer, Heidelberg (2005)

    Google Scholar 

  31. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006)

    Article  Google Scholar 

  32. Zali, Z., Hashemi, M.R., Saidi, H.: Real-Time Intrusion Detection Alert Correlation and Attack Scenario Extraction Based on the Prerequisite-Consequence Approach. The ISC International Journal of Information Security 4(2) (2013)

    Google Scholar 

  33. Cheung, S., Lindqvist, U., Fong, M.W.: Modelling multistep cyber-attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition, pp. 284–292 (2003)

    Google Scholar 

  34. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10(1/2), 71–104 (2002)

    Article  Google Scholar 

  35. Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  36. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  37. Morin, B., Mé, L., Debar, H., Ducassé, M.: A logic-based model to support alert correlation in intrusion detection. Information Fusion 10(4), 285–299 (2009)

    Article  Google Scholar 

  38. Al-Mamory, S.O., Zhang, H.: Intrusion detection alarms reduction using root cause Analysis and clustering. Computer Communications 32(2), 419–430 (2009)

    Article  Google Scholar 

  39. Kabiri, P., Ghorbani, A.A.: A rule-based temporal alert correlation system. International Journal of Network Security 5(1), 66–72 (2007)

    Google Scholar 

  40. Viinikka, J., Debar, H.: Monitoring IDS background noise using EWMA control charts and alert information. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 166–187. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  41. Viinikka, J., Debar, H., Mé, L., Séguier, R.: Time series modelling for IDS alert management. In: Proceedings of Information, Computer and Communications Security, pp. 102–113 (2006)

    Google Scholar 

  42. Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modelling. Information Fusion 10(4), 312–324 (2009)

    Article  Google Scholar 

  43. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining Analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)

    Article  Google Scholar 

  44. Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  45. Ren, H., Stakhanova, N., Ghorbani, A.A.: An online adaptive approach to alert correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153–172. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  46. Lee, W., Qin, X.: Statistical causality Analysis of INFOSEC alert data. In: Managing Cyber Threats, pp. 101–127 (2003)

    Google Scholar 

  47. Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference (ACSAC), pp. 370–379 (2004)

    Google Scholar 

  48. Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security, pp. 109–157 (2007)

    Google Scholar 

  49. Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection systems. In: DARPA Information Survivability Conference and Exposition, pp. 46–55 (2001)

    Google Scholar 

  50. Dorigo, M., Maniezzo, V., Colorni, A.: Ant system: Optimization by a colony of cooperating agents. IEEE Transactions on Systems, Man, and Cybernetics 26(1), 29–41 (1996)

    Article  Google Scholar 

  51. Ourston, D., Matzner, S., Stump, W., Hopkins, B.: Applications of hidden markov models to detecting multi-stage network attacks. In: Proceedings of the 36th Annual IEEE Hawaii International Conference on System Sciences (2003)

    Google Scholar 

  52. Gu, G., Cardenas, A.A., Lee, W.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 136–147 (2008)

    Google Scholar 

  53. Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: Annual Meeting of the North American on Fuzzy Information Processing Society, pp. 748–753 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Engineering Department, Sharif University of Technology, International Campus, Iran

    Seyed Ali Mirheidari

  2. Data and Network Security Laboratory (DNSL), Sharif University of Technology, Iran

    Seyed Ali Mirheidari, Sajjad Arshad & Rasool Jalili

  3. Computer Engineering Department, Sharif University of Technology, Iran

    Rasool Jalili

Authors
  1. Seyed Ali Mirheidari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sajjad Arshad
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rasool Jalili
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Science and Engineering, Central South University, 410083, Changsha, Hunan, P.R. China

    Guojun Wang

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523-1873, Fort Collins, CO, USA

    Indrakshi Ray

  3. Chinese Academy of Sciences, Institute of Software, 100190, Beijing, P.R. China

    Dengguo Feng

  4. information Security Group, City University London, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Mirheidari, S.A., Arshad, S., Jalili, R. (2013). Alert Correlation Algorithms: A Survey and Taxonomy. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03584-0_14

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03583-3

  • Online ISBN: 978-3-319-03584-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation