Real-time Aggregation and Extraction of Intrusion Alerts
Explore the innovative CLEAR-ROAD system for near-real-time aggregation and extraction of co-occurring intrusion alerts, assisting analysts in understanding attack patterns without external training data. Learn about the unique approach using concept learning and pattern mining techniques to discover rare co-occurring alert signatures.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
CLEAR-ROAD: Near Real-time Aggregation and Extraction of Co-occurring Intrusion Alerts Gordon Werner Ph.D. Student Rochester Institute of Technology This talk includes efforts supported by NSF Awards # 1526383 and #1742789, and RIT Global Cybersecurity Institute.
| 2 Helping Analysts Understand Attack Patterns Problem: How to better and more quickly help analysts to understand critical signature occurrence patterns? What signatures co-occur with them? And in what timing profile? Can this be done in near real time (NRT)? Without any external training data? Existing works (alert aggregation or alert correlation) depend on a priori defined templates / trained models or focus on grouping similar alerts. Is there an effective, data driven way to process Individual alert streams? Are these groups of alerts the same? What are the odds that these alerts would occur together?
| 3 CLEAR (Concept Learning for Intrusion Event Aggregation in Realtime) Tracks concepts (w.r.t. IATs) and derives aggregates (set of temporarily related alerts). Statistically match ongoing aggregates to concepts using 2-sample Kolmogorov-Smirnov (K-S) test. CLEAR Multiple temporal patterns found that contain GPL EXPLOIT CodeRed v2 root.exe access TSSD-EWMA Figure 4. KS-Test Illustration Figure 10. CLEAR (top) and TSSD-EWMA (bot) concept IATs
| 4 CLEAR with Rare Co-Occurring Alert Signature Discovery (CLEAR- ROAD) Two-Step Approach: CLEAR Learns & maintains unique, invariant temporal arrival patterns as Concepts In NRT from incoming alerts Captures individual ``actions or Aggregates using concept statistics ROAD Extracts Co-Occurring Signatures from Aggregates Leverages pattern mining techniques Sequence alert signatures using aggregates Constrains sequence data base (SDB) to reduce computational overhead Finds rules that exhibit statistical likelihood for signature co-occurrence
| 5 ROAD (Rare co-Occurring Alert signature Discovery) SPADE a pattern mining algorithm [Zaki 2001] modified to work with CLEAR and Intrusion Alerts. Discovers and processes association rules containing critical signatures Isolates signatures whose occurrence is statistically likely related to critical signature s (To-do) incremental update patterns in NRT. Co-Occurrence is unique to the 2 temporal modes found by CLEAR
| 6 Comments, Ideas, & Questions
