Method and architecture for online classification-based intrusion alert correlation

US 20070008098A1
Filed: 07/08/2005
Published: 01/11/2007
Est. Priority Date: 07/08/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for on-line classification-based intrusion alert correlation, comprising:

a. splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts;

b. correlating the situation alerts matching one of a fan-in situation, a fan-out situation and a focusing situation as a situation-intensive incident, and classifying the remaining situation alerts as residual alerts;

c. correlating the non-situation alerts matching a non-situation attack scenario as a plurality of semi-incidents; and

d. correlating the semi-incidents, the situation-intensive incidents and the residual alerts, and then generating an information security incident if that correlation is successful.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and architecture for on-line classification-based intrusion alert correlation are provided. This method applies layered architecture to split and correlate alerts. An alert-splitting technique is used to separate mostly general alerts from more valuable or complicated alerts. Only more important alerts are selected to correlate with known attack scenarios to discover important attack information. Therefore, the disadvantages in the prior art where correlation is shielded and over-consumption of computation resource are solved.

Citations

17 Claims

1. A method for on-line classification-based intrusion alert correlation, comprising:
- a. splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts;
  
  b. correlating the situation alerts matching one of a fan-in situation, a fan-out situation and a focusing situation as a situation-intensive incident, and classifying the remaining situation alerts as residual alerts;
  
  c. correlating the non-situation alerts matching a non-situation attack scenario as a plurality of semi-incidents; and
  
  d. correlating the semi-incidents, the situation-intensive incidents and the residual alerts, and then generating an information security incident if that correlation is successful.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the situation alerts comprise scanning alerts, flooding alerts and continuous attack alerts.
  - 3. The method of claim 1, wherein the condition of fan-in situation is that among situation alerts with a same target and effect, the amount of distinct sources and the amount of alerts are all over their respective thresholds within a sliding window of time.
  - 4. The method of claim 1, wherein the condition of fan-out situation is that among situation alerts with a same source and effect, the amount of distinct targets and the amount of alerts are all over their respective thresholds within a sliding window of time.
  - 5. The method of claim 1, wherein the condition of focusing situation is that among situation alerts with a same source, target and effect, the amount of alerts are all over a specific threshold within a sliding window of time.
  - 6. The method of claim 1, wherein a non-situation attack scenario is based on a known attack scenario with its situation steps marked as delay correlation.

7. Architecture for on-line classification-based intrusion alert correlation, comprising:
- a situation layer, for splitting a plurality of alerts into a plurality of situation alerts and a plurality of non-situation alerts; and
  
  a scenario layer, for saving a plurality of situation correlation results of the situation alerts in a situation layer and the non-situation alerts, further correlating the non-situation alerts matching a same non-situation attack scenario as a same semi-incident, and then correlating the resulted semi-incident with the situation correlation results as an information security incident.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 8. The architecture of claim 7, wherein the situation layer comprises:
    - a splitting device, for splitting the alerts into a plurality of situation alerts and a plurality of non-situation alerts, and transmitting the non-situation alerts to the scenario layer; and
      
      a situation correlation engine, for correlating the situation alerts matching condition of a same fan-in situation, fan-out situation and focusing situation as a same situation-intensive incident, classifying the remaining situation alerts to residual alerts, and transmitting the situation-intensive incident and the residual alerts to the scenario layer.
  - 9. The architecture of claim 7, wherein the scenario layer comprises a plurality of non-situation attack scenarios, wherein each of non-situation attack scenarios describes non-situation steps of a known attack scenario as a reference of correlating a semi-incident;
    - and a scenario correlation engine, for correlating the non-situation alerts matching a same non-situation scenario as a same semi-incident, further correlating the resulted semi-incident with the received situation-intensive incident and the residual alerts to form an information security incident if that the correlation is successful.
  - 10. The architecture of claim 7, wherein the situation alerts comprise scanning alerts, flooding alerts and continuous attack alerts.
  - 11. The architecture of claim 8, wherein the condition of a fan-in situation is that among situation alerts with a same target and effect, the amount of distinct sources and the amount of alerts are all over their respective thresholds within a sliding window of time.
  - 12. The architecture of claim 8, wherein the condition of fan-out situation is that among situation alerts with a same source and effect, the amount of distinct targets and the amount of alerts are all over their respective thresholds within a sliding window of time.
  - 13. The architecture of claim 8, wherein the condition of focusing situation is that among situation alerts with a same source, target and effect, the amount of alerts are all over a specific threshold within a sliding window of time.
  - 14. The architecture of claim 7, wherein a non-situation attack scenario is based on a known attack scenario with its situation steps marked as delay correlation.
  - 15. The architecture of claim 8, wherein the situation layer further comprises:
    - a filter, for filtering a plurality of un-related alerts and incomplete alerts; and
      
      an aggregating device, aggregating a plurality of similar alerts which are received within a short time duration as an alert.
  - 16. The architecture of claim 8, wherein if the situation layer is replaced by multiple situation layers, their relationships comprise:
    - the non-situation alerts formed by the splitting device of each of the situation layers being sent to the same scenario layer; and
      
      the situation-intensive incidents and the residual alerts resulted by the situation correlation engine of each of the situation layers being sent to the same scenario layer.
  - 17. The architecture of claim 7, wherein the deployment of the situation layer and the scenario layer comprises:
    - deploying a scenario layer and a situation layer at a same location, and using the scenario layer as security operation center; and
      
      using a scenario layer as a security operation center, and deploying multiple situation layers at various locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chung-Shan Institute of Science & Technology Armaments Bureau MND (Government of The Republic of China)
Original Assignee
Chung-Shan Institute of Science & Technology Armaments Bureau MND (Government of The Republic of China)
Inventors
Wong, Hsing-Kuo

Application Number

US11/177,803
Publication Number

US 20070008098A1
Time in Patent Office

Days
Field of Search
US Class Current

340/506
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1458 Denial of Service

Method and architecture for online classification-based intrusion alert correlation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and architecture for online classification-based intrusion alert correlation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links