Evidential Alert Correlation for Network Intrusion Analysis

Xin Hongx.hong@qub.ac.uk

DSCS Workshop – 27 September 2017

Outline

• Motivating Problems

• Proposed Solution

• Conclusion

Intrusion Detection

• Intrusion detection together with other system defences, e.g. firewalls, provides the primary means of misuse identification and response

Motivating Problems

• Issues in Intrusion Detection – Tons of alerts, possibly up to 20,000 per day– Many false alarms– Most alerts are not isolated, but related to

different stages of attacks– Hard to make sense out of a large pile of

alerts

Security Event Analytics

• Challenges – Low level detections are not always reliable – uncertain evidence– There are many ways to perform an attack – heuristic attack structures – An attack may be successful through actions over several connected stages –

progressing process

• Our solution– Evidential network reasoning, based on Dempster-Shafer theory of evidence– Numerically model sensor detections and relationships between sensor detection and

security state– Provide operations of combination, extension and marginalisation for reasoning– Answer to the questions such as

• What does an alert instance mean to system security state, exploited or compromised?• With a bundle of alerts at hand, has the system been targeted by DDoS attack?• How sure about analysed security state?

Overview of the evidential alert correlation system

Evidential Alert Correlation

67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo

67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67762

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetTerminaltype

67763

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetXdisplay

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67767

10/11/2

00106:053

379917

2.016.115

.0209

325255

.255.255.25

5Mstrea

m_Zo

mbie

67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo67770

10/11/2

00106:051

599817

2.016.112

.1942

3172.016

.112.050T

elnetTerminaltype

67771

10/11/2

00106:054

926313

5.008.060

.1822

5172.016

.113.105E

mail_

Ehlo67772

10/11/2

00106:051

640017

2.016.113

.1052

3172.016

.113.050T

elnetTerminaltype

67773

10/11/2

00106:066

452078

.111.082.04

125471

31.084.00

1.031Stream

_DoS

67774

10/11/2

00106:061

640417

2.016.113

.2042

5194.027

.251.021E

mail_

Ehlo67775

10/11/2

00106:061

641217

2.016.112

.2072

3194.027

.251.021T

elnetTerminaltype

67776

10/11/2

00106:063

380017

2.016.115

.0207

983172

.016.112.05

0Mstrea

m_Zo

mbie

67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67766

10/11/2

00106:054

926219

4.007.248

.1532

5172.016

.112.207E

mail_

Ehlo67764

10/11/2

00106:044

921220

2.077.162

.2132

3172.016

.115.020T

elnetEnvAll

67765

10/11/2

00106:054

926119

4.007.248

.1532

5172.016

.113.084E

mail_

Ehlo67768

10/11/2

00106:051

593717

2.016.113

.1052

5195.073

.151.050E

mail_

Ehlo67769

10/11/2

00106:051

599617

2.016.113

.2072

5197.182

.091.233E

mail_

Ehlo

Intrusionalerts

Alertvalidation

EvidentialNetworkInferenceAlertDuplicationAlertFusion

HyperalertExtraction

Alertcorrelationengine Attackscenario

LOCAL GLOBAL

Local Correlation

• Alert validation– Keep alerts of relevant signature types

• Alert duplication– Remove repeated alerts

• Alert fusion– Aggregate alerts of same signature within time

window, satisfying certain conditions

• Hyper alert extraction– Merge alerts of different signature types

corresponding to same attack

Global Correlation

• Correlate hyper alerts corresponding to different stages of a complex attack

• Based on evidential network reasoning

• Knowledge base contains evidential network model of the attack

• Dempster-Shafer theory of evidence provides the foundation for attack modelling, uncertainty representation, and information inference

DS Theory of Evidence

• Represents system with a set of variables V = {v1, …, vn}

• Domain D = {x}

• Frame of discernment Q

• wi is a value of x

• Mass function defined on the power set of Q

Θ = {𝑤%, … ,𝑤) }

𝑚: 2. → [0,1]

𝑚 ∅ = 0,5 𝑚(𝑤7)�

:;⊆.= 1

Evidential Networks

• V is the set of variables

• QV is the set of frames

• MV is the set of mass

functions

• Combination

• Marginalisation• Extension

Relation Implication Rule

• Domain knowledge represented by IF-THEN rule

• Degree of confidence to measure uncertainty

• If A then B with degree of confidence 𝜌 ∈ [𝛼, 𝛽]where 0 ≤ 𝛼 ≤ 𝛽 ≤ 1

DS Frame Representation

• Domain knowledge represented by IF-THEN rule

• Degree of confidence to measure uncertainty

• If A then B with degree of confidence 𝜌 ∈ [𝛼, 𝛽] where 0 ≤ 𝛼 ≤ 𝛽 ≤ 1

with𝜌 ∈ 𝛼, 𝛽 , 0 ≤ 𝛼 ≤ 𝛽 ≤ 1.

𝐴 ⊆ ΘHI ⟹ 𝐵 ⊆ ΘHL

𝑚HM = N𝛼𝑖𝑓𝐶 = (𝐵×𝐴) ∪ (ΘHL×𝐴

T)1 − 𝛽𝑖𝑓𝐶 = (𝐵T×𝐴) ∪ (ΘHL×𝐴

T)𝛽 − 𝛼𝑖𝑓𝐶 = ΘHL×ΘHI

From Attack Tree

Sadmind_Ping

SadmindBOFVulnerableSadmind

Rsh

Mstream_Zombie

StreamDOS

AccessControl

SystemCompromised

ReadyToLaunchDDOS

LaunchDDoS

Intrusion action

System state

IPSweep

From Attack Tree

To Evidential Network Model

Evidential Network Model

𝑑%W = {𝐼𝑆𝑠}Domain of variablesΘ%W = {1,0}Frame of discernment

𝑚%W 1 = 0.9;𝑚%W 1,0 = 0.1

Mass function

evidence

Evidential Network Model

𝑑] = {𝐼𝑆𝑎, 𝐼𝑆𝑠}Domain of variables

Θ] = { 1,1 , 1,0 , 0,1 , (0,0)}

Frame of discernment

𝑚] 1,1 , (1,0) = 0.245;

Mass function

knowledge

𝑚] 1,1 , 1,0 , (0,0) = 0.325𝑚] 1,1 , 1,0 , (0,1) =0.185

𝑚] Θ] =0.245

Implication rulesIss à ISa [0.57, 1]~Iss à ISa [0.43, 1]

Evidential Inference

𝑚%W 1 = 0.9;𝑚%W 1,0 = 0.1

Evidence

𝑚′%c = 𝑚%Wdef↑dehExtension 𝑚′′%c = 𝑚]

di↑deh

Evidence Propagation

𝑚%c = 𝑚′%c ⊕𝑚′′%cCombination

𝑚′%k = 𝑚%cdeh↑delExtension 𝑚′′%k = 𝑚m

dn↑del

𝑚%k = 𝑚′%k ⊕𝑚′′%kCombination

𝑚′W% = 𝑚%kdel↓dfeMarginalisation

Forward Propagation

Experiments

• DARPA 2000 dataset

• Two DDOS attack scenarios– LLDoS 1.0: inside and dmz– LLDoS 2.0.2: inside and dmz

• RealSecure alert files

Results

DatasetObservableattacks#

RealSecure Ourmethod

Alerts#Detectedattacks#

Alerts#Detectedattacks#

Attackdetection%

LLDOS1.0

Inside 60 922 37 61 37 100DMZ 89 886 51 92 51 100

LLDOS2.0.2

Inside 15 489 12 23 12 100DMZ 7 425 4 8 4 100

LLDOS1.0 LLDOS2.0.2Inside DMZ Inside DMZ

Relatedalerts 61 96 25 8Correlatedalerts 61 95 23 8Correctlycorrelatedalerts 61 95 23 8Completeness%(correctlycorrelated/related)

100 98.96 92.00 100

Soundness%(correctlycorrelated/correlated)

100 100 100 100

Conclusions and Future Work

• Proposed an alert correlation technique– Evidential network reasoning– Models uncertain sensor detections and relationship

knowledge– Numerically infers security state changes to draw a

semantic view of attack

• Future work– Learning evidential network model of attack from

domain experts and data– Recognising the variations of attack – Real-time correlation

Thanks

Questions?