Get access

E-correlator: an entropy-based alert correlation system

Authors

  • Mohammad GhasemiGol,

    Corresponding author
    1. Data and Communication Security Lab, Department of Computer Engineering, Ferdowsi University of Mashhad, Mashhad, Iran
    • Correspondence: Mohammad GhasemiGol, Department of Computer Engineering, Ferdowsi University of Mashhad, Mashhad, Iran.

      E-mail: ghasemigol@wali.um.ac.ir

    Search for more papers by this author
  • Abbas Ghaemi-Bafghi

    1. Data and Communication Security Lab, Department of Computer Engineering, Ferdowsi University of Mashhad, Mashhad, Iran
    Search for more papers by this author

Abstract

With the rapid size and complexity growth of computer networks, network supervisors are now facing a new problem, which is to analyze and manage the large amounts of security alerts that can be generated by security devices. Alert correlation systems attempt to solve this problem by finding the similarity and causality relationships between raw alerts and providing high-level view of the network under surveillance. Several alert correlation methods have been proposed recently to detect known attack scenarios. This paper focuses on how to develop an intrusion-alert correlation system according to the information existed in the raw alerts without using any predefined knowledge. For this purpose, first, we define the concept of alert partial entropy to find the alert clusters with the same information. Then, we represent the alert clusters by an intelligible notation called hyper-alerts. The network supervisor can reduce the number of hyper-alerts based on the principle of maximum entropy or by using the concept of hyper-alerts partial entropy. For more visualization, we define the hyper-alerts graph, which provides a global view of intrusion alerts. Our results show that the proposed entropy-based alert correlation system (E-correlator) can simplify the analysis of large number of alerts. We achieved the promising reduction ratio of 99.98% in LLS_DDOS_1.0 attack scenario in DARPA2000 dataset while the constructed hyper-alerts have enough information to discover the attacker, the victim, and the attack scenario. Copyright © 2014 John Wiley & Sons, Ltd.

Ancillary