Research on Complex Attack Oriented Hierarchical Alert Correlation
Complex attack usually brings huge number of alerts, which make alert correlation time-consuming and correlation results too complicated to understand. To solve these problems, a hierarchical alert correlation model based on causal correlation is proposed. The model had two alert correlation engines: service-level correlation engine and host-level correlation engine. At service level, alerts were classified by destination IP, and causal correlation was carried out to reconstruct attack path happened on single host in time order. Causal correlation based on aggregation could improve correlation performance effectively. At host level, source IP and destination IP belonging to the same alert were spatially correlated to reconstruct attack path happened between different hosts. Experimental results show that the hierarchical alert correlation algorithm reconstructs attack path accurately, and correlation results at dual levels describe attack scenario from different visual angles which help to analyze attack strategies, predict attack steps and recognize the vital parts.
hierarchical alert correlation complex attack causal correlation attack path Botnet
Zhu Li-Na Zhang Zuo-Chang Feng Li
Department of Computer and Information Management Guangxi University of Finance and Economics Nannin Center of Dependable and Secure Computing Wuhan Digital Engineering Institute Wuhan, China
国际会议
成都
英文
386-390
2010-12-17(万方平台首次上网日期,不代表论文的发表时间)