J4 ›› 2014, Vol. 41 ›› Issue (5): 84-90.doi: 10.3969/j.issn.1001-2400.2014.05.015

• Original Articles • Previous Articles     Next Articles

Comprehensive analysis of real-time alerts with attack strategy graphs

LI Longying;LI Jinku;MA Jianfeng;JIANG Qi   

  1. (School of Computer Science and Technology, Xidian Univ., Xi'an  710071, China)
  • Received:2013-06-22 Online:2014-10-20 Published:2014-11-27
  • Contact: LI Longying E-mail:leelongying@163.com


The causal relation based alert correlation approach causes split scenario graphs and cannot process massive alerts in time. To address this issue, a comprehensive analysis approach of real-time alerts with attack strategy graphs is proposed. First, it gets rid of the splitting of the attack scenario graph by introducing hypothesizing alerts to the alert correlation process. Second, it leverages a novel sliding window mechanism, which maintains a window for each type of attacks and determines the window's size according to both the time and number of the alerts. This new mechanism only introduces linear time complexity without sacrificing effectiveness. Third, the approach is extended to a comprehensive system to reconstruct attack scenarios, predict future alerts and fuse analytical results. Evaluation results indicate that our approach is effective and efficient.

Key words: intrusion detection systems, intrusion analysis, correlation analysis, attack scenarios

CLC Number: 

  • TP309