Situational assessment of intrusion alerts: A multi attack scenario evaluation

Abstract

In this research study, we focus on intrusion alerts and the burden of analyzing numerous security events by network administrators. We present Avisa2, a network security visualization system that can assist in the comprehension of IDS alerts and detection of abnormal pattern activities. The quantity of security events triggered by modern day intrusion systems, accompanied by the level of complexity and lack of correlation between events, limits the human cognitive process in identifying anomalous behavior. This shortcoming induces the need for an automated process that would project critical situations and prioritize network hosts encountering peculiar behaviors. At the heart of Avisa2 lies a collection of heuristic functions that are utilized to score, rank, and prioritize internal hosts of the monitored network. We believe this contribution elevates the practicality of Avisa2 in identifying critical situations and renders it to be far superior to traditional security systems that solely focus on visualization. The effectiveness of Avisa2 is evaluated on two multi-stage attack scenarios; each intentionally focused on a particular attack type, network service, and network range. Avisa2 proved effective and accurate in prioritizing hosts under attack or hosts in which attacks were performed from. © 2011 Springer-Verlag.