Correlating Alerts Using Prerequisites of Intrusions

Intrusion detection has been studied for about twenty years since the Anderson’s report. However, intrusion detection techniques are still far from perfect. Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones. In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. The proposed approach identifies the prerequisite (e.g., existence of vulnerable services) and the consequence of each type of attacks, and correlates the corresponding alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. The proposed approach has several advantages. First, it provides a high-level representation of the correlated alerts, and thus reveals the structure of series of attacks. Second, it can reduce the impact of false alerts by only keeping correlated alerts. Third, it can potentially be applied to predict attacks in progress, and allows the intrusion response systems to take appropriate actions to stop the ongoing attacks. Our preliminary experiments have demonstrated the potential of the proposed approach in reducing false alerts and uncovering high-level attack strategies.