Discovering Attackers Past Behavior to Generate Online Hyper-Alerts

Authors

  • Cláudio Toshio Kawakani State University of Londrina
  • Sylvio Barbon State University of Londrina
  • Rodrigo Sanches Miani Federal University of Uberlândia
  • Michel Cukier University of Maryland
  • Bruno Bogaz Zarpelão State University of Londrina

DOI:

https://doi.org/10.5753/isys.2017.331

Abstract

To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most common strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real dataset from the University of Maryland. The results showed that the proposed approach could properly identify the attack strategy patterns from historical alerts, and organize the upcoming alerts into a smaller amount of meaningful hyper-alerts.

Downloads

Download data is not yet available.

Downloads

Published

2017-03-12

How to Cite

Kawakani, C. T., Barbon, S., Miani, R. S., Cukier, M., & Zarpelão, B. B. (2017). Discovering Attackers Past Behavior to Generate Online Hyper-Alerts. ISys - Brazilian Journal of Information Systems, 10(1), 122–147. https://doi.org/10.5753/isys.2017.331

Issue

Section

Extended versions of selected articles

Most read articles by the same author(s)