Open AccessDiscovering Attackers Past Behavior to Generate Online Hyper-Alerts
Author(s) -
Cláudio Toshio Kawakani,
Sylvio Barbon,
Rodrigo Sanches Miani,
Michel Cukier,
Bruno Bogaz Zarpel�ão
Publication year - 2017
Publication title -
isys - brazilian journal of information systems
Language(s) - English
Resource type - Journals
ISSN - 1984-2902
DOI - 10.5753/isys.2017.331
Subject(s) - computer science , intrusion detection system , cluster analysis , attack patterns , task (project management) , data mining , intrusion , representation (politics) , computer security , machine learning , geochemistry , geology , management , politics , political science , law , economics
To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most common strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real dataset from the University of Maryland. The results showed that the proposed approach could properly identify the attack strategy patterns from historical alerts, and organize the upcoming alerts into a smaller amount of meaningful hyper-alerts.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom