Intrusion Alert Correlation to Support Security Management

Cláudio Toshio Kawakani; Sylvio Barbon Junior; Rodrigo Sanches Miani; Michel Cukier; Bruno Bogaz Zarpelão

doi:10.5753/sbsi.2016.5977

Cláudio Toshio Kawakani State University of Londrina
Sylvio Barbon Junior State University of Londrina
Rodrigo Sanches Miani Federal University of Uberlândia
Michel Cukier University of Maryland
Bruno Bogaz Zarpelão State University of Londrina

DOI: https://doi.org/10.5753/sbsi.2016.5977

Resumo

To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most typical strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real data set from the University of Maryland. The results show that the proposed approach can provide useful information for security administrators and may reduce the time between a security event and the response.

Palavras-chave: Intrusion Detection, Alert Correlation, Security Management, Data Mining

Referências

AZEVEDO, L. G. et al. Identificação automática de serviços candidatos a partir de modelos de processos de negócio. In: Escola Regional de Sistemas de Informação. 2009.

BASTOS, E. C.; FONSECA, V. S.; “Transformação de modelos BPM para Diagramas de Atividades da UML 2.0 usando ATL”. Capturado em: http://code.google.com/p/transformacao-bpm, 2013.

BRAGA, V. T. Um Processo para Projeto Arquitetural de Software Dirigido a Modelos e Orientado a Serviços. Dissertação (Mestrado) — Universidade Federal de Pernambuco, 2011.

Business Process Modeling Notation (BPMN), OMG, 2011.

DELGADO, A. et al. From BPMN business process models to SoaML service models: A transformation-driven approach. In: Software Technology and Engineering (ICSTE), 2010 2nd International Conference on. 2010. p. V1-314-V1-319.

ELVESAETER, B. et al. Aligning business and it models in service-oriented architectures using bpmn and soaml. In: Proceedings of the First International Workshop on Model- Driven Interoperability., 2010. P 61-68

ERL, T. SOA Design Patterns. [S.l.]: Pearson, 2009.

FAZZIKI, A. et al. A service oriented information system: A model driven approach. In: Signal Image Technology and Internet Based Systems (SITIS), 2012 Eighth International Conference on. [S.l.: s.n.], 2012

GOMES, R. et. al. MoDErNE: A model driven process centered software engineering environment. In: Proceedings of CBSoft 2011—II Brazilian Conference on Software: Theory and Practice, Tools Session 2011, São Paulo, Brazil (2011).

HEREDIA, L. R. Transformação de modelos de processos de negócio em BPMN para modelos de sistema utilizando casos de uso da UML. Dissertação (Mestrado) – Pontifícia Universidade Católica do Rio Grande do Sul, 2012.

Model Driven Architecture (MDA), OMG, 2003.

ODEH, M.; KAMM, R. “Bridging the gap between business models and system models”. Information and Software Technology, vol. 45-15, 2003, pp. 1053-1060.

SADOVYKH, A. et al. Enterprise architecture modeling with soaml using bmm and bpmn - mda approach in practice. In: Software Engineering Conference (CEE-SECR), 2010 6th Central and Eastern European. [S.l.: s.n.], 2010. p. 79–85.

Soa Modeling Language (SoaML), OMG, 2012.

Unified Modeling Language (UML), OMG, 2008.