An Intrusion Action-Based IDS Alert Correlation Analysis and Prediction Framework

Since the rapid development of the internet, the emergence of network intrusion has become the focus of studies for scholars and security enterprises. As an important device for detecting and analyzing malicious behaviors in networks, IDS (Intrusion Detection Systems) is widely deployed in enterprises, organizations and plays a very important role in cyberspace security. The massive log data produced by IDS not only contains information about intrusion behaviors but also contains potential intrusion patterns. Through normalizing, correlating, and modeling data, we can obtain the patterns of different intrusion scenarios. Based on the previous works in the area of alert correlation and analyzing, this paper proposed a framework named IACF (Intrusion Action Based Correlation Framework), which improved the process of alert aggregating, action extraction, and scenario discovery, and applied a novel method for extracting intrusion sessions based on temporal metrics. The proposed framework utilized a new grouping method for raw alerts based on the concept of intrinsic strong correlations, rather than the conventional time windows and hyper alerts. For discovering high stable correlations between actions, redundant actions and action link modes are removed from sessions by a pruning algorithm to reduce the impact of false positives, finally, a correlation graph is constructed by fusing the pruned sessions, based on the correlation graph, a prediction method for the future attack is proposed. The experiment result shows that the framework is efficient in alert correlation and intrusion scenario construction.