A Probabilistic Based Framework for INFOSEC Alert Correlation
Evidential Alert Correlation for Network Intrusion...
Transcript of Evidential Alert Correlation for Network Intrusion...
![Page 1: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/1.jpg)
Evidential Alert Correlation for Network Intrusion Analysis
DSCS Workshop – 27 September 2017
![Page 2: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/2.jpg)
Outline
• Motivating Problems
• Proposed Solution
• Conclusion
![Page 3: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/3.jpg)
Intrusion Detection
• Intrusion detection together with other system defences, e.g. firewalls, provides the primary means of misuse identification and response
![Page 4: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/4.jpg)
Motivating Problems
• Issues in Intrusion Detection – Tons of alerts, possibly up to 20,000 per day– Many false alarms– Most alerts are not isolated, but related to
different stages of attacks– Hard to make sense out of a large pile of
alerts
![Page 5: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/5.jpg)
Security Event Analytics
• Challenges – Low level detections are not always reliable – uncertain evidence– There are many ways to perform an attack – heuristic attack structures – An attack may be successful through actions over several connected stages –
progressing process
• Our solution– Evidential network reasoning, based on Dempster-Shafer theory of evidence– Numerically model sensor detections and relationships between sensor detection and
security state– Provide operations of combination, extension and marginalisation for reasoning– Answer to the questions such as
• What does an alert instance mean to system security state, exploited or compromised?• With a bundle of alerts at hand, has the system been targeted by DDoS attack?• How sure about analysed security state?
![Page 6: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/6.jpg)
Overview of the evidential alert correlation system
Evidential Alert Correlation
67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo
67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67762
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetTerminaltype
67763
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetXdisplay
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67767
10/11/2
00106:053
379917
2.016.115
.0209
325255
.255.255.25
5Mstrea
m_Zo
mbie
67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo67770
10/11/2
00106:051
599817
2.016.112
.1942
3172.016
.112.050T
elnetTerminaltype
67771
10/11/2
00106:054
926313
5.008.060
.1822
5172.016
.113.105E
mail_
Ehlo67772
10/11/2
00106:051
640017
2.016.113
.1052
3172.016
.113.050T
elnetTerminaltype
67773
10/11/2
00106:066
452078
.111.082.04
125471
31.084.00
1.031Stream
_DoS
67774
10/11/2
00106:061
640417
2.016.113
.2042
5194.027
.251.021E
mail_
Ehlo67775
10/11/2
00106:061
641217
2.016.112
.2072
3194.027
.251.021T
elnetTerminaltype
67776
10/11/2
00106:063
380017
2.016.115
.0207
983172
.016.112.05
0Mstrea
m_Zo
mbie
67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67766
10/11/2
00106:054
926219
4.007.248
.1532
5172.016
.112.207E
mail_
Ehlo67764
10/11/2
00106:044
921220
2.077.162
.2132
3172.016
.115.020T
elnetEnvAll
67765
10/11/2
00106:054
926119
4.007.248
.1532
5172.016
.113.084E
mail_
Ehlo67768
10/11/2
00106:051
593717
2.016.113
.1052
5195.073
.151.050E
mail_
Ehlo67769
10/11/2
00106:051
599617
2.016.113
.2072
5197.182
.091.233E
mail_
Ehlo
Intrusionalerts
Alertvalidation
EvidentialNetworkInferenceAlertDuplicationAlertFusion
HyperalertExtraction
Alertcorrelationengine Attackscenario
LOCAL GLOBAL
![Page 7: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/7.jpg)
Local Correlation
• Alert validation– Keep alerts of relevant signature types
• Alert duplication– Remove repeated alerts
• Alert fusion– Aggregate alerts of same signature within time
window, satisfying certain conditions
• Hyper alert extraction– Merge alerts of different signature types
corresponding to same attack
![Page 8: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/8.jpg)
Global Correlation
• Correlate hyper alerts corresponding to different stages of a complex attack
• Based on evidential network reasoning
• Knowledge base contains evidential network model of the attack
• Dempster-Shafer theory of evidence provides the foundation for attack modelling, uncertainty representation, and information inference
![Page 9: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/9.jpg)
DS Theory of Evidence
• Represents system with a set of variables V = {v1, …, vn}
• Domain D = {x}
• Frame of discernment Q
• wi is a value of x
• Mass function defined on the power set of Q
Θ = {𝑤%, … ,𝑤) }
𝑚: 2. → [0,1]
𝑚 ∅ = 0,5 𝑚(𝑤7)�
:;⊆.= 1
![Page 10: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/10.jpg)
Evidential Networks
• V is the set of variables
• QV is the set of frames
• MV is the set of mass
functions
• Combination
• Marginalisation• Extension
![Page 11: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/11.jpg)
Relation Implication Rule
• Domain knowledge represented by IF-THEN rule
• Degree of confidence to measure uncertainty
• If A then B with degree of confidence 𝜌 ∈ [𝛼, 𝛽]where 0 ≤ 𝛼 ≤ 𝛽 ≤ 1
![Page 12: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/12.jpg)
DS Frame Representation
• Domain knowledge represented by IF-THEN rule
• Degree of confidence to measure uncertainty
• If A then B with degree of confidence 𝜌 ∈ [𝛼, 𝛽] where 0 ≤ 𝛼 ≤ 𝛽 ≤ 1
with𝜌 ∈ 𝛼, 𝛽 , 0 ≤ 𝛼 ≤ 𝛽 ≤ 1.
𝐴 ⊆ ΘHI ⟹ 𝐵 ⊆ ΘHL
𝑚HM = N𝛼𝑖𝑓𝐶 = (𝐵×𝐴) ∪ (ΘHL×𝐴
T)1 − 𝛽𝑖𝑓𝐶 = (𝐵T×𝐴) ∪ (ΘHL×𝐴
T)𝛽 − 𝛼𝑖𝑓𝐶 = ΘHL×ΘHI
![Page 13: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/13.jpg)
From Attack Tree
Sadmind_Ping
SadmindBOFVulnerableSadmind
Rsh
Mstream_Zombie
StreamDOS
AccessControl
SystemCompromised
ReadyToLaunchDDOS
LaunchDDoS
Intrusion action
System state
IPSweep
![Page 14: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/14.jpg)
From Attack Tree
![Page 15: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/15.jpg)
To Evidential Network Model
![Page 16: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/16.jpg)
Evidential Network Model
𝑑%W = {𝐼𝑆𝑠}Domain of variablesΘ%W = {1,0}Frame of discernment
𝑚%W 1 = 0.9;𝑚%W 1,0 = 0.1
Mass function
evidence
![Page 17: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/17.jpg)
Evidential Network Model
𝑑] = {𝐼𝑆𝑎, 𝐼𝑆𝑠}Domain of variables
Θ] = { 1,1 , 1,0 , 0,1 , (0,0)}
Frame of discernment
𝑚] 1,1 , (1,0) = 0.245;
Mass function
knowledge
𝑚] 1,1 , 1,0 , (0,0) = 0.325𝑚] 1,1 , 1,0 , (0,1) =0.185
𝑚] Θ] =0.245
Implication rulesIss à ISa [0.57, 1]~Iss à ISa [0.43, 1]
![Page 18: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/18.jpg)
Evidential Inference
![Page 19: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/19.jpg)
𝑚%W 1 = 0.9;𝑚%W 1,0 = 0.1
Evidence
![Page 20: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/20.jpg)
𝑚′%c = 𝑚%Wdef↑dehExtension 𝑚′′%c = 𝑚]
di↑deh
Evidence Propagation
𝑚%c = 𝑚′%c ⊕𝑚′′%cCombination
𝑚′%k = 𝑚%cdeh↑delExtension 𝑚′′%k = 𝑚m
dn↑del
𝑚%k = 𝑚′%k ⊕𝑚′′%kCombination
𝑚′W% = 𝑚%kdel↓dfeMarginalisation
![Page 21: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/21.jpg)
Forward Propagation
![Page 22: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/22.jpg)
Experiments
• DARPA 2000 dataset
• Two DDOS attack scenarios– LLDoS 1.0: inside and dmz– LLDoS 2.0.2: inside and dmz
• RealSecure alert files
![Page 23: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/23.jpg)
Results
DatasetObservableattacks#
RealSecure Ourmethod
Alerts#Detectedattacks#
Alerts#Detectedattacks#
Attackdetection%
LLDOS1.0
Inside 60 922 37 61 37 100DMZ 89 886 51 92 51 100
LLDOS2.0.2
Inside 15 489 12 23 12 100DMZ 7 425 4 8 4 100
LLDOS1.0 LLDOS2.0.2Inside DMZ Inside DMZ
Relatedalerts 61 96 25 8Correlatedalerts 61 95 23 8Correctlycorrelatedalerts 61 95 23 8Completeness%(correctlycorrelated/related)
100 98.96 92.00 100
Soundness%(correctlycorrelated/correlated)
100 100 100 100
![Page 24: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/24.jpg)
Conclusions and Future Work
• Proposed an alert correlation technique– Evidential network reasoning– Models uncertain sensor detections and relationship
knowledge– Numerically infers security state changes to draw a
semantic view of attack
• Future work– Learning evidential network model of attack from
domain experts and data– Recognising the variations of attack – Real-time correlation
![Page 25: Evidential Alert Correlation for Network Intrusion Analysisstatisticalcyber.com/talks/XinHong.pdfEvidential Alert Correlation for Network Intrusion Analysis Xin Hong x.hong@qub.ac.uk](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6fa4e5c8b0e72883c5bdc/html5/thumbnails/25.jpg)
Thanks
Questions?