Computer Science ›› 2017, Vol. 44 ›› Issue (2): 38-45.doi: 10.11896/j.issn.1002-137X.2017.02.004

Previous Articles     Next Articles

Survey on Network Security Event Correlation Analysis Methods and Tools

JU An-kang, GUO Yuan-bo, ZHU Tai-ming and WANG Tong   

  • Online:2018-11-13 Published:2018-11-13

Abstract: At present,the frequency of the new network security attacks events represented by APT is increasing,and it is more harmful to the enterprise information infrastructure.The new types of attack have the characteristics of customi-zation,concealment and continuity,and these make it more difficult for traditional detection methods to detect or predict these deep-hidden attacks in time.However,with the development of big data technology,people can correlate the information about security events and system running environment effectively,and this makes it possible to detect new types of attack and threat.In this paper,we expounded the importance of security event correlation analytics,and then discussed the existing correlation analysis techniques from the aspect of event attributes,logical reasoning,statistics and machine learning.Finally we introduced several commonly used open-source correlation analysis software,and synthetically compared them in application scenarios,programming language,user interface,and the correlation method used.

Key words: Correlation analysis,Feature attributes,Logical reasoning,Statistics,Machine learning

[1] SALAH S.A model-based survey of alert correlation techniques[J].Computer Networks,2013,57(5):1289-1317 .
[2] AL-MAMORY S O,ZHANG H L.A Survey on IDS Alerts Processing Techniques[C]∥6th WESEAS International Conference on Information Security and Privacy.Tenerfe,Spain,2017 .
[3] SADODDIN R,GHORBANI A.Alert correlation survey:framework and techniques[C]∥Conference on Privacy,Security and Trust.2006.
[4] GUPTA R K,CHO S Y.A Correlation-Based Approach for Real-Time Stereo Matching[M]∥Advances in Visual Computing.Springer Berlin Heidelberg,2010:129-138.
[5] ANTONELLO M,PRETTO A,MENEGATTI E.Fast Incre-mental Objects Identification and Localization using Cross-correlation on a 6 DoF Voting Scheme[C]∥Special Session on Active Robot Vision.2014:499-504.
[6] XIAO S,ZHANG Y,LIU X,et al.Alert Fusion Based on Cluster and Correlation Analysis[C]∥Proceedings of the International Conference on Convergence and Hybrid Information Technology,Daejeon,South Korea.2008:163-168.
[7] FORGY C L.Rete:A fast algorithm for the many pattern/many object pattern match problem[J].Artificial Intelligence,1982,19(82):17-37.
[8] GU X D,GAO Y,HUANG J.Rete Algorithm;Current Issues and Future Challenge[J].Computer Science,2012,39(11):8-12.(in Chinese) 顾小东,高阳,黄峻.Rete算法:研究现状与挑战[J].计算机科学,2012,39(11):8-12.
[9] WEN J R,WANG Y L,LIU W.Improved algorithm for RETE supporting multiple types of imperfect metric[J].Computer Engineering and Applications,2015,51(15):48-55.(in Chinese) 文举荣,王永利,刘伟.支持多类型瑕疵度量的RETE改进算法[J].计算机工程与应用,2015,51(15):48-55.
[10] CUPPENS F.Managing alerts in a multi-intrusion detection environment[C]∥Proceedings 17th Annual Computer Security Applications Conference,2001(ACSAC 2001).IEEE,2001:22-31.
[11] CUPPENS F,MIGE A.Alert correlation in a cooperative intrusion detection framework[C]∥IEEE Symposium on Security & Privacy IEEE Computer Society.IEEE,2002:202-215.
[12] ZHUANG X,XIAO D,LIU X,et al.Applying Data Fusion in Collaborative Alerts Correlation[C]∥International Symposium on Computer Science and Computational Technology,2008(ISCSCT’08).IEEE,2008:124-127.
[13] YAN R Y.DDoS Attacks Detection Method Based on TrafficMatrix and KalmanFilter[J].Computer Science,2014,41(3):176-180.(in Chinese) 颜若愚.基于流量矩阵和Kalman滤波的DDoS攻击检测方法[J].计算机科学,2014,41(3):176-180.
[14] VALDES A D J,SKINNER K.Probabilistic alert correlation:Springer Berlin Heidelberg,US 7917393 B2[P].2011.
[15] AHMADINEJAD S H,JALILI S.Alert Correlation Using Correlation Probability Estimation and Time Windows[C]∥International Conference on Computer Technology and Development.IEEE,2009:170-175.
[16] VAPNIK V.SVM method of estimating density,conditionalprobability,and conditional density[C]∥The 2000 IEEE International Symposium on Circuits and Systems,2000.IEEE,2000:749-752.
[17] PARSI S K.Implementing network intrusion detection on amulti-threading FSM[D].Dissertations & Theses-Gradworks,2007.
[18] MASTANI S A.Reduced Merge_FSM Pattern Matching Algo-rithm for Network Intrusion Detection[J].International Journal on Recent Trends in Engineering &Technolo,2014,10(2):117-122.
[19] ILGUN K,KEMMERER R A,PORAS P A.State transitionanalysis:a rule-based intrusion detection approach[J].IEEE Transactions on Software Engineering,1995,21(3):181-199.
[20] YANG Y,MCLAUGHLIN K,LITTLER T,et al.Rule-basedintrusion detection system for SCADA networks[C]∥Rene-wable Power Generation Conference (RPG 2013),2nd IET.IET,2013:1-4.
[21] PERERA G.Rules Based Monitoring and ntrusion DetectionSystem:US20150326604[P].2015.
[22] EILAND E E,EVANS S C,MARKHAM T S,et al.Intrusion detection using MDL compression:US,US8375446B2[P].2013.
[23] ESMAILI M,BALACHANDRAN B,S AFAVI-NAINI R,et al.Case-Based Reasoning for Intrusion Detection[C]∥Proceedings of the 12th Annual Computer Security Applications Conference.IEEE Computer Society,1996:214-223.
[24] LONG J,SCHWARTZ D,STOECKLIN S.Application of Case-Based Reasoning to MultiSensor Network Intrusion Detection[C]∥Proceedings of the 4th WSEAS international conference on Computational intelligence,man-machine systems and cybernetics.World Scientific and Engineering Academy and Society (WSEAS).2005.
[25] ZENG R G,GUAN X H,ZAN X,et al.Case-Based Reasoning for Intrusion Detection Correlation Analysis[J].Computer Engineering & Applications,2006,42(4):138-141.
[26] CHEN B,LING Y U,XIAO J M.An Application of Simulated Annealing Algorithm in Model-Based Reasoning Intrusion Detection[J].Journal of University of Electronic Science & Technology of China,2005,34(1):36-39.
[27] CHEN R C,CHEN S P.An intrusion detection based on support vector machines with a voting weight schema[C]∥International Conference on Industrial.Springer-Verlag,2007:1148-1157.
[28] TRAN T P,TSAI P,JAN T,et al.Network Intrusion Detection using Machine Learning and Voting techniques[M].Machine Learning,2010:267-290.
[29] BOROWIK B,KARPINSKYY M,LAHNO V,et al.MachinesMoore and Mealy[M]∥Theory of Digital Automata.Springer Netherlands,2013:143-171.
[30] RUBIN D E,MITAL V,BECKMAN B C,et al.Dependencygraph in data-driven model:US,US8352397[P].2013.
[31] GUMUS F,SAKAR C O,EREDM Z,et al.Online Naive Bayes classification for network intrusion detection[C]∥2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).IEEE,2014:670-674.
[32] VARUNA S,NATESAN P.An integration of k-means cluste-ring and nave bayes classifier for Intrusion Detection[C]∥2015 3rd International Conference on Signal Processing,Communication and Networking (ICSCN).IEEE,2015:1-5.
[33] FARID D M,HARBI N,RAHMAN M Z.Combining NaiveBayes and Decision Tree for Adaptive Intrusion Detection[J].International Journal of Network Security & Its Applications,2010,2(2):52-58.
[34] JIA I A,YANG C F,et al.An Intrusion Detection Method Based on Hierarchical Hidden Markov Models[J].Wuhan University Journal of Natural Sciences,2007,12(1):135-138.
[35] VOLLMER T,MANIC M.Title:Computationally EfficientNeural Network Intrusion Security Awareness[C]∥2nd International Symposium on Resilient Control Systems,2009(ISRCS’09).IEEE,2009:25-30.
[36] MACKENZIE M R,TIEU A K.Hermite neural network correlation and application[J].IEEE Transactions on Signal Proces-sing,2004,51(12):3210-3219.
[37] GILMORE M R,JONES S E,FOSTER J C,et al.Sung Intrusion Detection:Support Vector Machine and Neural Networks[C]∥ASME 2002 Pressure Vessels and Piping Conference.American Society of Mechanical Engineers,2002:277-281.
[38] RAO X,DONG C X,YANG S Q.An Intrusion Detection System Based on Support Vector Machine[J].Journal of Software,2003,14(4):798-803.(in Chinese) 饶鲜,董春曦,杨绍全.基于支持向量机的入侵检测系统[J].软件学报,2003,14(4):798-803.
[39] YANG K H,SHAN G L,ZHAO L L.Correlation Coefficient Method for Support Vector Machine Input Samples[C]∥2006 International Conference on Machine Learning and Cybernetics.IEEE,2006:2857-2861.
[40] KLIGER S,YEMINI S,YEMINI Y,et al.A coding approach toevent correlation[C]∥Proceedings of the Fourth International Symposium on Integrated Network Management IV.Chapman &Hall,Ltd.,1995:266-277.
[41] GRUSCHKE B.Integrated Event Management:Event Correlation Using Dependency Graphs[C]∥Distributed Systems,Ope-rations and Management.1998.
[42] ROSCHKE S,CHENG F,MEINEL C.A New Alert Correlation Algorithm Based on Attack Graph[M]∥Computational Intelligence in Security for Information Systems.Springer Berlin Heidelberg,2011:58-67.
[43] ZHU B,GHORBANI A A.Alert Correlation for Extracting Attack Strategies[J].International Journal of Network Security,2006,3(3):244-258.
[44] STEINDER,MAGORZATA,SETHI,et al.Probabilistic Fault Localization in Communication Systems Using Belief Networks[C]∥IEEE/ACM Transactions on Networking.2004:809-822.
[45] MARCHETTI M,COLAJANNI M,M ANGANIELLO F.Identification of correlated network intrusion alerts[M]∥2011 Third International Workshop on Cyberspace Safety and Security (CSS).IEEE,2011:15-20.
[46] HARAHAP E,SAKAMOTO W,NISHI H.Failure predictionmethod for Network Management System by using Bayesian network and shared database[C]∥2010 8th Asia-Pacific Symposium on Information and Telecommunication Technologies (APSITT).IEEE,2010:1-6.
[47] SHI Z,XIA Y.A Novel Hidden Markov Model for Detecting Complicate Network Attacks[C]∥2010 IEEE International Conference on Wireless Communications,Networking and Information Security (WCNIS).IEEE,2010:312-315.
[48] KELLOGG J,MCNEELY A,RUFFO B,et al.Alert Correlation and Prediction Using Data Mining and HMM[J].Isecure,2011,3:77-102.
[49] ZAN X,GAO F,HAN J,et al.A Hidden Markov Model Based Framework for Tracking and Predicting of Attack Intention[C]∥International Conference on Multimedia Information Networking and Security.IEEE,2009:498-501.
[50] Swatchwebsite.http://sourceforge.net/projects/swa-tch.
[51] SEC-simple event correlator.http://kodu.neti.ee/~risto/sec.
[52] OSSEC community.Ossec website.http://ossec.net.
[53] OSSIM community.Ossim website.http://www.ossim.org.
[54] Drools community.Drools website.http://www.jboss.org/drools.
[55] EsperTech.Esper website.http://www.espertech.com.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] LEI Li-hui and WANG Jing. Parallelization of LTL Model Checking Based on Possibility Measure[J]. Computer Science, 2018, 45(4): 71 -75, 88 .
[2] XIA Qing-xun and ZHUANG Yi. Remote Attestation Mechanism Based on Locality Principle[J]. Computer Science, 2018, 45(4): 148 -151, 162 .
[3] LI Bai-shen, LI Ling-zhi, SUN Yong and ZHU Yan-qin. Intranet Defense Algorithm Based on Pseudo Boosting Decision Tree[J]. Computer Science, 2018, 45(4): 157 -162 .
[4] WANG Huan, ZHANG Yun-feng and ZHANG Yan. Rapid Decision Method for Repairing Sequence Based on CFDs[J]. Computer Science, 2018, 45(3): 311 -316 .
[5] SUN Qi, JIN Yan, HE Kun and XU Ling-xuan. Hybrid Evolutionary Algorithm for Solving Mixed Capacitated General Routing Problem[J]. Computer Science, 2018, 45(4): 76 -82 .
[6] ZHANG Jia-nan and XIAO Ming-yu. Approximation Algorithm for Weighted Mixed Domination Problem[J]. Computer Science, 2018, 45(4): 83 -88 .
[7] WU Jian-hui, HUANG Zhong-xiang, LI Wu, WU Jian-hui, PENG Xin and ZHANG Sheng. Robustness Optimization of Sequence Decision in Urban Road Construction[J]. Computer Science, 2018, 45(4): 89 -93 .
[8] LIU Qin. Study on Data Quality Based on Constraint in Computer Forensics[J]. Computer Science, 2018, 45(4): 169 -172 .
[9] ZHONG Fei and YANG Bin. License Plate Detection Based on Principal Component Analysis Network[J]. Computer Science, 2018, 45(3): 268 -273 .
[10] SHI Wen-jun, WU Ji-gang and LUO Yu-chun. Fast and Efficient Scheduling Algorithms for Mobile Cloud Offloading[J]. Computer Science, 2018, 45(4): 94 -99, 116 .