Real-Time Correlation of Network Security Alerts

Abstract

With the growing deployment of network security devices, it becomes a great challenge to manage the large volume of security alerts from these devices. In this paper a novel method using sequential pattern mining algorithm is applied to discover complicated multistage attack behavior patterns. Their result can be transformed into rules automatically. In contrast with other approaches, it overcomes the drawback of high dependence on precise attack specifications and accurate rule definitions. Based on the algorithms, a real-time alert correlation system is proposed to detect an ongoing attack and predict the upcoming next step of a multistage attack in real time. Consequently, network administrator can be aware of the threat as soon as possible and take deliberate action to prevent the target of an attack from further compromise. We implement the system and valid our method by a series of experiments with test dataset and in real network environment. The result shows the effectivity of the system in discovery and predication of attacks.