Article: Alert correlation using artificial immune recognition system Journal: International Journal of Bio-Inspired Computation (IJBIC) 2012 Vol.4 No.3 pp.181 - 195 Abstract: High volumes of low-level alerts that are generated by intrusion detection systems (IDSs) are serious obstacle for using them effectively. These high volumes of alerts overwhelm system administrators in such a way that they cannot manage and interpret them. Alert correlation is used to reduce the number of alerts and increase their level of abstraction. It selects a group of low-level alerts and converts them into a higher level attack and then produces a high-level alert for them. In this paper, a new artificial immune system-based alert correlation system is presented, named AISAC. It learns the correlation probability between each pair of alert types and uses this knowledge to extract the attack scenarios. AISAC does not need intensive domain knowledge and rule definition efforts. It also does not need to manually update the extracted knowledge. The computational cost of learning algorithm is linear, and the initial learning is done by a very limited general data in offline mode. AISAC is evaluated by DARPA 2000 and netForensics Honeynet data. Results show that although it uses a relatively simple algorithm, it generates the attack graphs with acceptable accuracy. Inderscience Publishers - linking academia, business and industry through research

Title: Alert correlation using artificial immune recognition system

Authors: Mehdi Bateni; Ahmad Baraani; Ali Ghorbani

Addresses: Faculty of Engineering, Department of Computer Engineering, Hezar Jerib Ave., Isfahan, 81744, Iran. ' Faculty of Engineering, Department of Computer Engineering, Hezar Jerib Ave., Isfahan, 81744, Iran. ' Faculty of Computer Science, University of New Brunswick, P.O. Box 4400, Fredericton, N.B., E3B 5A3, Canada

Abstract: High volumes of low-level alerts that are generated by intrusion detection systems (IDSs) are serious obstacle for using them effectively. These high volumes of alerts overwhelm system administrators in such a way that they cannot manage and interpret them. Alert correlation is used to reduce the number of alerts and increase their level of abstraction. It selects a group of low-level alerts and converts them into a higher level attack and then produces a high-level alert for them. In this paper, a new artificial immune system-based alert correlation system is presented, named AISAC. It learns the correlation probability between each pair of alert types and uses this knowledge to extract the attack scenarios. AISAC does not need intensive domain knowledge and rule definition efforts. It also does not need to manually update the extracted knowledge. The computational cost of learning algorithm is linear, and the initial learning is done by a very limited general data in offline mode. AISAC is evaluated by DARPA 2000 and netForensics Honeynet data. Results show that although it uses a relatively simple algorithm, it generates the attack graphs with acceptable accuracy.

Keywords: intrusion detection systems; IDS; alert correlation; artificial immune recognition systems; AIRS; artificial immune systems; low-level alerts; high-level alerts; attack graphs; security.

DOI: 10.1504/IJBIC.2012.047240

International Journal of Bio-Inspired Computation, 2012 Vol.4 No.3, pp.181 - 195

Received: 27 Aug 2011
Accepted: 17 Mar 2012
Published online: 22 Sep 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Alert correlation using artificial immune recognition system

Keep up-to-date