Method and architecture for online classification-based intrusion alert correlation
First Claim
Patent Images
1. A method for on-line classification-based intrusion alert correlation, comprising:
- a. splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts;
b. correlating the situation alerts matching one of a fan-in situation, a fan-out situation and a focusing situation as a situation-intensive incident, and classifying the remaining situation alerts as residual alerts;
c. correlating the non-situation alerts matching a non-situation attack scenario as a plurality of semi-incidents; and
d. correlating the semi-incidents, the situation-intensive incidents and the residual alerts, and then generating an information security incident if that correlation is successful.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and architecture for on-line classification-based intrusion alert correlation are provided. This method applies layered architecture to split and correlate alerts. An alert-splitting technique is used to separate mostly general alerts from more valuable or complicated alerts. Only more important alerts are selected to correlate with known attack scenarios to discover important attack information. Therefore, the disadvantages in the prior art where correlation is shielded and over-consumption of computation resource are solved.
-
Citations
17 Claims
-
1. A method for on-line classification-based intrusion alert correlation, comprising:
-
a. splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts;
b. correlating the situation alerts matching one of a fan-in situation, a fan-out situation and a focusing situation as a situation-intensive incident, and classifying the remaining situation alerts as residual alerts;
c. correlating the non-situation alerts matching a non-situation attack scenario as a plurality of semi-incidents; and
d. correlating the semi-incidents, the situation-intensive incidents and the residual alerts, and then generating an information security incident if that correlation is successful. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Architecture for on-line classification-based intrusion alert correlation, comprising:
-
a situation layer, for splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts; and
a scenario layer, for saving a plurality of situation correlation results of the situation alerts in a situation layer and the non-situation alerts, further correlating the non-situation alerts matching a same non-situation attack scenario as a same semi-incident, and then correlating the resulted semi-incident with the situation correlation results as an information security incident. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification