An Intrinsic Graphical Signature Based on Alert Correlation Analysis for Intrusion Detection

We propose a graphical signature for intrusion detection given alert sequences. By correlating alerts with their temporal proximity, we build a probabilistic graph-based model to describe a group of alerts that form an attack or normal behavior. Using the models, we design a pairwise measure based on manifold learning to measure the dissimilarities between different groups of alerts. A large dissimilarity implies different behaviors between the two groups of alerts. Such measure can therefore be combined with regular classification methods for intrusion detection. The proposed method makes the following contributions: (a) It automatically identifies groups of alerts that are frequent; (b) It summarizes them into a suspicious sequence of activity, representing them with graph structures; (c) It suggests a novel graph-based dissimilarity measure. We evaluate our framework mainly on Acer 2007, a private dataset gathered from a well-known Security Operation Center in Taiwan. The performance on the real data suggests that the proposed method can achieve high detection performance in attack coverage and tolerant the attack variations. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. Moreover, the graphical structures and the representation from manifold learning naturally provide the visualized result suitable for further analysis from domain experts.