Computer Science ›› 2019, Vol. 46 ›› Issue (8): 64-70.doi: 10.11896/j.issn.1002-137X.2019.08.010

• Big Data & Data Science • Previous Articles     Next Articles

Alert Correlation Algorithm Based on Improved FP Growth

LU Xian-guang, DU Xue-hui, WANG Wen-juan   

  1. (Information Engineering University,Zhengzhou 450001,China)
  • Received:2018-11-06 Online:2019-08-15 Published:2019-08-15

Abstract: The original alerts generated by intrusion detection system have some shortcomings,such as low level,mutual isolation and irrelevance,which makes security managers be difficult to find unknown and high-level security threats and cannot understand the overall security situation of the target network.In order to make use of low-level alerts to construct attack scenarios,this paper analyzed the existing alert correlation knowledge,and proposed a new alert correlation algorithm based on data mining to solve the problem of poor performance of existing algorithms when dealing with sparse data.In this paper,firstly,the existing alert correlation algorithms were compared,then the principles and merits and demerits of classical Apriori algorithm and FP growth algorithm were elaborated,and the FP growth algorithm was improved based on two-dimensional table.Finally,the improved algorithm was used to mine the association rules between the alerts,and thus the alert correlation was proceeded.In order to verify the feasibility and performance of the proposed method,the Darpa data set is utilized to carry out relevant simulation tests.The experimental results show that the proposed scheme can achieve better alert correlation.

Key words: Alert correlation, Correlation analysis, FP growth algorithm, Intrusion detection

CLC Number: 

  • TP393.08
[1]VALDES A,SKINNER K.Probabilistic Alert Correlation [C]∥ International Symposium on Recent Advances in Intrusion Detection.Springer-Verlag,2001:54-68.
[2]GAO H S,LI Y M.An ASON Alarm Correlation Method Based on Hierarchical Attribute Similarity Clustering[J].Science Technology and Engineering,2015(6):210-214.(in Chinese) 高会生,李英敏.一种基于分层属性相似度聚类的 ASON 告警关联分析方法[J].科学技术与工程,2015(6):210-214.
[3]ZHU L N,ZHANG Z C.Research on hierarchical alerts correlation based on causality[J].Application Research of Computers,2016,33(3):848-850(in Chinese) 朱丽娜,张作昌.基于因果关系的分层报警关联研究[J].计算机应用研究,2016,33(3):848-850.
[4]TEMPLETON S J,LEVITT K.A requires/provides model for computer attacks[C]∥Proceedings of the 2000 workshop on New security paradigms.ACM,2001:31-38.
[5]MORIN B,MÉ L,DEBAR H,et al.A logic-based model to support alert correlation in intrusion detection[J].Information Fusion,2009,10(4):285-299.
[6]JAJODIA S,NOEL S,KALAPA P,et al.Cauldron mission-centric cyber situational awareness with defense in depth[C]∥MILCOM.2011:1339-1344.
[7]YU D,FRINCKE D.Improving the quality of alerts and predicting intruder’s next goal with Hidden Colored Petri-Net[J].Computer Networks,2007,51(3):632-654.
[8]WANG S,TANG G M,KOU G,et al.Attack path prediction method based on causal knowledge net[J].Journal on Communications,2016,37(10):188-198.(in Chinese) 王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.
[9]ZHANG J,LI X P,WANG H J,et al.Real-time alert correlation approach based on attack planning graph[J].Journal of Compu-ter Applications,2016,36(6):1538-1543.(in Chinese) 张靖,李小鹏,王衡军,等.基于攻击规划图的实时报警关联方法[J].计算机应用,2016,36(6):1538-1543.
[10]NURBOL.Research on Anomaly Detection Based on Data Mi- ning and Multi-stage Intrusion Alert Correlation[D].Changchun:Jilin University,2010.(in Chinese) 努尔布力.基于数据挖掘的异常检测和多步入侵警报关联方法研究[D].长春:吉林大学,2010.
[11]SONG S S.Study of Integrated alert correlation based on data mining and attack graphs[D].Shanghai:Shanghai Jiao Tong University,2009(in Chinese) 宋珊珊.基于数据挖掘及攻击图的告警综合关联研究[D].上海:上海交通大学,2009.
[12]MEI H B,GONG J,ZHANG M H.Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.(in Chinese) 梅海彬,龚俭,张明华.基于警报序列聚类的多步攻击模式发现研究[J].通信学报,2011,32(5):63-69.
[13]LIU J.Research on Key Technologies of Intrusion Detection and Alert Association Based on Machine Learning[D].Beijing:Beijing University of Posts and Telecommunications,2016.(in Chinese) 刘敬.基于机器学习的入侵检测和告警关联关键技术研究[D].北京:北京邮电大学,2016.
[14]LI H C,WU X P.Network Intrusion Correlation Method with Differential Privacy Protection of Alerts Sequence[J].Computer Engineering,2018,487(5):134-138.(in Chinese) 李洪成,吴晓平.支持告警序列差分隐私保护的网络入侵关联方法[J].计算机工程,2018,487(5):134-138.
[15]AGRAWAL R,IMIELIN'SKI T,SWAMI A.Mining association rules between sets of items in large databases[C]∥Acm Sigmod Record.ACM,1993,22(2):207-216.
[16]HAN J,PEI J,YIN Y.Mining frequent patterns without candidate generation[C]∥ACM Sigmod Record.ACM,2000,29(2):1-12.
[17]LU X,DU X,WANG W.An Alert Aggregation Algorithm Based on K-means and Genetic Algorithm[C]∥IOP Conference Series:Materials Science and Engineering.IOP Publishing,2018,435(1):012031.
[18]LU X,DU X,WANG W.Network IDS Duplicate Alarm Reduction Using Improved SNM Algorithm[C]∥2018 IEEE 3rd International Conference on Image,Vision and Computing (ICIVC).IEEE,2018:767-774.
[1] WANG Xin-tong, WANG Xuan, SUN Zhi-xin. Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network [J]. Computer Science, 2022, 49(8): 314-322.
[2] YANG Xiao, WANG Xiang-kun, HU Hao, ZHU Min. Survey on Visualization Technology for Equipment Condition Monitoring [J]. Computer Science, 2022, 49(7): 89-99.
[3] ZHOU Zhi-hao, CHEN Lei, WU Xiang, QIU Dong-liang, LIANG Guang-sheng, ZENG Fan-qiao. SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm [J]. Computer Science, 2022, 49(6A): 562-570.
[4] CAO Yang-chen, ZHU Guo-sheng, SUN Wen-he, WU Shan-chao. Study on Key Technologies of Unknown Network Attack Identification [J]. Computer Science, 2022, 49(6A): 581-587.
[5] WEI Hui, CHEN Ze-mao, ZHANG Li-qiang. Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns [J]. Computer Science, 2022, 49(6): 350-355.
[6] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[7] SUN Lin, PING Guo-lou, YE Xiao-jun. Correlation Analysis for Key-Value Data with Local Differential Privacy [J]. Computer Science, 2021, 48(8): 278-283.
[8] LI Bei-bei, SONG Jia-rui, DU Qing-yun, HE Jun-jiang. DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things [J]. Computer Science, 2021, 48(7): 47-54.
[9] CHENG Xi, CAO Xiao-mei. SQL Injection Attack Detection Method Based on Information Carrying [J]. Computer Science, 2021, 48(7): 70-76.
[10] CAO Yang-chen, ZHU Guo-sheng, QI Xiao-yun, ZOU Jie. Research on Intrusion Detection Classification Based on Random Forest [J]. Computer Science, 2021, 48(6A): 459-463.
[11] YU Jian-ye, QI Yong, WANG Bao-zhuo. Distributed Combination Deep Learning Intrusion Detection Method for Internet of Vehicles Based on Spark [J]. Computer Science, 2021, 48(6A): 518-523.
[12] JIA Lin, YANG Chao, SONG Ling-ling, CHENG Zhenand LI Bei-jun. Improved Negative Selection Algorithm and Its Application in Intrusion Detection [J]. Computer Science, 2021, 48(6): 324-331.
[13] WANG Ying-ying, CHANG Jun, WU Hao, ZHOU Xiang, PENG Yu. Intrusion Detection Method Based on WiFi-CSI [J]. Computer Science, 2021, 48(6): 343-348.
[14] LIU Quan-ming, LI Yin-nan, GUO Ting, LI Yan-wei. Intrusion Detection Method Based on Borderline-SMOTE and Double Attention [J]. Computer Science, 2021, 48(3): 327-332.
[15] WANG Wen-juan, DU Xue-hui, REN Zhi-yu, SHAN Di-bin. Reconstruction of Cloud Platform Attack Scenario Based on Causal Knowledge and Temporal- Spatial Correlation [J]. Computer Science, 2021, 48(2): 317-323.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!