Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

Discovering Coordinated Groups of IP Addresses Through Temporal Correlation of Alerts

Network-based monitoring and intrusion detection systems generate a high number of alerts reporting the suspicious activity of IP addresses. The majority of alerts are dropped due to their low relevance, low priority, or due to high number of alerts themselves. We assume that these alerts still cont...

Full description

Bibliographic Details
Main Authors: Martin Zadnik, Jan Wrona, Karel Hynek, Tomas Cejka, Martin Husak
Format: Article
Language:English
Published: IEEE 2022-01-01
Series:IEEE Access
Subjects:
Alerts
clustering
correlation
IP address
situational awareness
Online Access:https://ieeexplore.ieee.org/document/9849653/
Description
Summary:Network-based monitoring and intrusion detection systems generate a high number of alerts reporting the suspicious activity of IP addresses. The majority of alerts are dropped due to their low relevance, low priority, or due to high number of alerts themselves. We assume that these alerts still contain valuable information, namely, about the coordination of IP addresses. Knowledge of the coordinated IP addresses improves situational awareness and reflects the requirement of security analysts as well as automated reasoning tools to have as much contextual information as possible to make an informed decision. To validate our assumption, we introduce a novel method to discover the groups of coordinated IP addresses that exhibit a temporal correlation of their alerts. We evaluate our method on data from a real sharing platform reporting approximately 1.5 million alerts per day. The results show that our method can indeed discover groups of truly coordinated IP addresses.
ISSN:2169-3536

Similar Items