2010 International Conference of Information Science and Management Engineering

Intrusion Alerts Correlation Based Assessment of Network Security

Jin SHI, Guangwei HU, Mingxin LU*
School of National Information Security, State Key Laboratory for Novel Software Technology Nanjing University Nanjing, P. R. China shijin@dislab.nju.edu.cn, huguangwei@dislab.nju.edu.cn, zgnjack@163.com
AbstractTraditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results. Keywords-Alerts Correlation; Security Assessment; Risk Analysis; Credibility Analysis; System Loss Analysis

Li XIE
State Key Laboratory for Novel Software Technology Nanjing University Nanjing, P. R. China xieli@dislab.nju.edu.cn

chanisms and measures in position, that is, it can assess network security mechanisms in the nodes of the attack quences. On the other hand, it can help security managers just the corresponding security mechanisms and choose response methods against attacks in detail.

the seadthe

The remainder of this paper is organized as follows. The next section discusses related work. Section 3 describes the security assessment algorithm based on alerts correlation in detail. An experiment, along with the results, is described in Section 4. The conclusion is in Section 5. II. RELATED WORK

I.

INTRODUCTION

With the development of the Internet size and the area of computer applications, network security has become an important factor in social and economic development and one of the focuses of the worlds attention. But facing network attacks become increasingly widespread and attack tools become increasingly diverse, the traditional network security protecting technologies are unable to meet the actual needs of the development of network. There is an urgent need for new research methods of network security protection. In view of current network security serious problems, how to build networks with supporting security services based on the credibility becomes a hot spot of current research. Network security assessment, especially the quantitative characterization of network security and the guide of the construction and modification of network security mechanisms and measures, is one of the important basic theories of building security services based on the credibility. At present, most of the assessments of network security are qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure or modify network security mechanisms. Therefore, quantitative analysis of network security, especially in detail and in position, is an important research area of network security. ACRL (Assessment of Credibility, Risk and the Loss of system), a new network security quantitative analysis method named, is presented in this paper. It assesses the attack sequences from three aspects: credibility, risk and the loss of system. ACRL can effectively help security managers from different aspects to understand the current network situation of attacks. On one hand, it can assess the network security me978-0-7695-4132-7/10 $26.00 2010 IEEE DOI 10.1109/ISME.2010.156 3

Intrusion detection has been studied about thirty years since Andersons report [1]. Research on intrusion alert correlation has been rather active recently. The most effective methods [2, 3], targets recognition of multistage attacks; it correlates alerts if the prerequisites of some later alerts are satisfied by the consequences of some earlier alerts. Such methods can potentially uncover the causal relationship between alerts, and are not restricted to known attack scenarios. Using alerts correlation methods to help security managers to reinforce the security state has been presented after the methods were presented such as [4, 5]. But they all focus on reaction to attacks scenario. Direct reaction to attack is not a good idea because of the high ratio of false positive of alerts. We focus on assessment the attack scenario to provide a quantitative value to help system manager to react to the attacks and optimize the configuration of system. Previous research works on risk assessment methods [6, 7] almost all qualitative and to system overall. ACRL focuses on assessment in position and in the network system. It can help system managers to quantitatively adjust the configuration of network system in detail. III. SECURITY ASSESSMENT ALGORITHM BASED ON ALERTS CORRELATION

A. Elements 1) Node Values and Service Values A node value is a measurable quantity that states how valuable a node is. The node value is range from 1 to N. Like nodes, each service can be assigned a service value, which states how valuable the service is, and its scope is from 1 to M. The scope and value of the node value and the service value are

appointed by the security manager based on the specific situation of the whole system. 2) Node Secure Levels As a node value represents the importance of the node, a node secure level represents the secure degree of the node. A node secure level is a quantitative value which is appointed by the security manager from the operating system and its version, applications, open services and ports, security mechanisms of the node, as well as the nodes location of the network. B. Alert credibility and risks calculation In this paper, a multi-fuzzy model identification method is used to assess alerts credibility and risks. As follows: Set the assessment-factor set as U = {U1 ,U 2 } , in which U1 represents the alerts credibility and the alert s risk level.
U1 and U 2 are determined by the following factors: U1 = {u11 , u12 , u13 , u14 } , in which u11 , u12 , u13 , u14 represent the

factor is needed, in which

i =1

= 1 . The Euclid closeness de-

gree is used to calculate the closeness degree:

( r, R j ) = 1
2 1 5 i ( ri Rij ) 5 i =1

(1)

level of alert r. ( r , R j ) represents that the actual environment matching level degree is j.

In which r = ( r1 , r2 , r3 , r4 , r5 ) represents the actual matching

environment matching level, the credibility of the attack style, the factor of related attacks and the nodes secure level respectively.
U 2 = {u21 , u22 , u23 } , in which u21 , u22 , u23 represent the alerts

self risk level, the node value, the service value respectively. Finally, u11 = {w1 , w2 , w3 , w4 , w5} , in which w1 , w2 , w3 , w4 , w5 represent the factors of operating system, the hardware, the service, the port, the application. It is calculated as follows: 1) Calculating environment matching level u11 by known environmental factors. Set the judge set p = {0.1,0.2, ,1} , which represents 10 levels from low to high of the environment matching level. And determine the matching level to the judge level of w1 , w2 , w3 ,
w4 , w5 , then the match matrix R = { Rij } is set up. Its value is

2) Calculating the credibility and risk level gradually by the same way as environment matching level calculating. Similar to Step 1, appointing the corresponding judge set and setting up their standard matching matrixes respectively are the two first steps in calculating of the credibility and risk level. The actual value of the type of an alert and other factors are defined as follows: the states of the credibility of the types of alerts are divided into high, medium and low, whose matching levels are 1, 0.6 and 0.2 respectively. States of related attacks are set by three types: strong, weak and non-related, whose values are 1, 0.7 and 0.4 respectively, self risk levels of alerts are set as the normal degrees of IDS as high, medium and low, whose values are 1,0.6 and 0.2 respectively. The Euclid closeness degree is also used in closeness degree calculating. Finally, the risk level and credibility can be calculated. C. The Credibility Analysis of Attack Sequence Nodes of attack scenario graph are various alerts which credibility can be calculated by the environment matching, the state of related attacks, attacks styles and nodes secure levels. Putting the alerts credibility to every node of attack scenario can help security managers to find out the most likely attack sequence by calculating every attack sequences credibility. Set attack sequence S = {a1 , a2 , , an } consists of n alerts, that is, a1 , a2 , , an . If the credibility of alert ai is pi , i = 1, 2, ... , n. Then the credibility of attack sequence S is
pS = 1 (1 pi )
i =1 n

determined by the experts or from learning. In this paper, a simple method is used, that is, set Rij = pi , which represents that the environment matching level is w j while the judge level is pi . For instance, R34 = 0.3 represents matching level between the alerts port and the nodes port must be 0.3 while the environment matching level is 0.3. Taking into account the actual situation of operating systems, we appoint that the matching states are only three kinds, that is, matching, not matching and unknown, whose matching level is 1, 0 and 0.5 respectively. Then, we can calculate the judge matching level from closeness degree of the actual matching level of every factor and standard matching level of every judge degree. The influences to alerts matching situation of every factors matching situation is different, so the weight 1 , , 5 of every

(2)

It represents the credibility of the attack sequence S. D. The Risk Analysis of Attack Sequence As a result of attacks against different nodes, different services, their risk levels to the system are different. And as a result of the attacks with different purposes and different ways, it will also affect the risk level to their system. In this paper, in accordance with the definition of risk level of alerts, we can calculate the risk level of attack sequences in the attack correlation graph. If the self risk level of is ai , the node value and the service value are ri , ni , si . Then the risk level of attack sequence S is
rS = ri ni si
i =1 n

(3)

It represents the risk degree to the system if S sequence is successful. E. The Loss Analysis of system The loss of system can be attributed to the comprehensive assessment degree of attack sequences in the attack scenario graph. It is defined that the total loss expectation of all attack sequences. The loss of the ith alert ai is assessed as i . The credibility of the (i +1)th alert is pi +1 . Then the credibility from the first alert a1 to the ith alert ai is
p1,i = 1 (1 pi )
k =1 i

B. Experimental Security Assessment First, we arrange experimental staff attack the inner network from outside hosts. And a large number of normal connections are built. Then the alerts from the IDS correlate the attack scenario graph as Figure 2.

(4)

And the total loss of the attack sequence to the system is

S = E (i ) = (i p1,i ) (5)
i =1 n

In this paper, the loss of alert a i is set as its risk level, that is
i = ri ni si

(6) (7)
Figure 2. Attack scenario graph

Then IV.

S = (i p1,i )
i =1

EXPERIMENTAL ANALYSIS

After calculation by the formula (2), we can get the credibility of the attack sequences shown in TABLE I.
TABLE I. CREDIBILITY OF THE ATTACK SEQUENCES

A. Experimental Environment
IDS Mplat

No 1 2

Attack sequences 1 2 3 4 5 6 7 8 9 10 11 12 13 14 12 13 15 16 17 18

Credibility 0.76 0.92 0.28 0.65 0.88 0.93 0.87

Firewall

3 4

DNS Node2 PrS

5 6
PuS Node1

Figure 1. Experimental environment

The experimental environment is shown in Figure 1. It includes a number of simulation hosts outside the network, 6 hosts inside the network, one of them is the management platform Mplat as well as the management information database server, a production server PrS, a public server PuS, a DNS server and two ordinary user nodes Node1 and Node2, which PuS and the DNS server are in the DMZ area of Firewall. In order to reflect the authenticity of the experiment better, the operating systems, the services and the security mechanisms of the hosts in the inside network are different.

zAfter calculation by the formula (3), we can get the risk levels of the attack sequences shown in TABLE II.
TABLE II. RISK LEVEL OF ATTACK SEQUENCES

No 1 2 3 4

Attack sequences 1 2 3 4 5 6 7 8 9 10 11

Risk level 61 71 28 78

5 6 7

12 13 14 12 13 15 16 17 18

135 74 91

After the calculation formulas (4) ~ (7), we can get the losses of the attack sequence shown in TABLE III.
TABLE III. THE LOSS OF ATTACK SEQUENCES

No 1 2 3 4 5 6 7

Attack sequences 1 2 3 4 5 6 7 8 9 10 11 12 13 14 12 13 15 16 17 18

Loss 31.6 45.8 4.1 48.6 113.2 59.9 67.0

tive or only for network overall. Although they can provide references to help security managers to understand the network systems security situation from whole aspect, but it has little help for responding to the real-time attacks and repairing the systems vulnerabilities which is the problem a security manager often encounters. The experiment shows that the security assessment method in this paper can help security managers assess the security incidents that have occurred and arrange their priority to deal with. So they can resolve the network problems and optimize the security mechanisms of systems timely. V. CONCLUSION

According to the principle of the alerts correlation, we assess the credibility, the risk level and the loss of system of attack sequences from the factors of alert credibility, self risk levels of alert, node values, service values, etc. As can be seen from the experiment, the credibility analysis, the risk analysis and loss analysis to system of attack sequences in this paper are all useful to security managers to assess security states of the network system. And they can help security managers assess the security mechanisms of the system in position and take appropriate measures to response to the security incidents. VI. ACKNOWLEDGMENT

The credibility of the attack sequences can be seen from Table 1, which represents the credibility of attack sequences truly occurred. It is a very important reference of the attacks probability sequences for the security managers. For example, in this experiment, the probabilities of attack sequence 6 and attack sequence 2 are 0.93 and 0.92. They are the most probable attack sequences in the experiment. The risk of the attack sequences can be seen from Table 2, which represents the dangers degree that the attack sequences really occurred. It can be the important reference when security managers choose security mechanisms. For example, the risk levels of attack sequence 5 and attack sequence 7 are 135 and 91 in the experiment. They are the prior path must be reinforced in security which the attack sequences are in. The losses to system of attack sequences can be seen from Table 3. They are comprehensive evaluating values. The values can not only help the security manager assess the current security state of the system, but also can help the security manager to determine the priority of dealing with the attack sequences. For example, in the same period, attack sequence 3 and attack sequence 5 both need to be dealt with. It is clear that the security manager prior to deal with the attack sequence 5 because the loss of sequence 3 is 4.1 while the loss of sequence 5 is 113.2. From the experiment, it can be seen that the security assessment method in this paper focuses on the node and nodes chain which have occurred attacks more than the previous method. And it quantitatively assesses the attacks in many aspects. Prior assessment methods of network security are often qualita-

This work is supported in part by the Natural Science Foundation of China under Grant No. 60903180, the Natural Science Foundation of Jiangsu of China under Grant No. Bk2009465 and the Natural Science Foundation of Colleges in Jiangsu of China under Grant No. 09KJB620001. REFERENCES
[1] [2] Anderson, J. P.: Computer security threat monitoring and surveillance. Fort Washington: James P. Anderson Company, 1980. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium on research in Security and Privacy, pp. 202-215 Oakland, USA, May 2002. Xu, D., Ning, P.: "Correlation Analysis of Intrusion Alerts," in Roberto Di Pietro, Luigi V.Mancini eds. Intrusion Detection Systems, Advances in Information Security, Vol. 38, pages 6592, ISBN 978-0-38777265-3, Springer, 2008. Garc, J., Autrel, F., Borrell, J., Bouzida, Y., Castillo, S., Cuppens, F., et Navarro, G.: Preventing coordinated attacks via alert correlation . 9th Nordic Workshop on Secure IT Systems (NORDSEC 2004). Helsinki, Finlande, November 2004. Cuppens, F., Autrel, F., Bouzida, Y., Garc, J., Gombault, S., Sans, T.: Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework . Annals of Telecommunications. Vol. 61, no. 1-2. Janvier-Fevrier 2006. Alter, S., Sherer, S.: A general, but readily adaptable model of information system risk. Communications of Association for Information Systems, 14 (2004), 1-28. Sun, L., Srivastava, R. P., Mock, T. J.: An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions Journal of Management Information Systems, Vol. 22, No. 4, Spring 2006: 109-142.

[3]

[4]

[5]

[6]

[7]