A novel framework for alert correlation and understanding

Abstract

We propose a novel framework named Hidden Colored PetriNet for Alert Correlation and Understanding (HCPN-ACU) in intrusion detection system. This model is based upon the premise that intrusion detection may be viewed as an inference problem - in other words, we seek to show that system misusers are carrying out a sequence of steps to violate system security policies in some way, with earlier steps preparing for the later ones. In contrast with prior arts, we separate actions from observations and assume that the attacker's actions themselves are unknown, but the attacker's behavior may result in alerts. These alerts are then used to infer the attacker's actions. We evaluate the model with DARPA evaluation database. We conclude that HCPN-ACU can conduct alert fusion and intention recognition at the same time, reduce false positives and negatives, and provide better understanding of the intrusion progress by introducing confidence scores. © Springer-Verlag Berlin Heidelberg 2004.