Method and System for Autonomic Generation of Site-Specific Correlation Rules
Original Publication Date: 2004-Feb-03
Included in the Prior Art Database: 2004-Feb-03
Disclosed is a framework for automatically finding site-specific correlation rules for intrusion detection alert correlation.
Method and System for Autonomic Generation of Site -Specific Correlation Rules
Intrusion detection alerts (alerts for short) are extremely abundant and redundant. It is therefore ineffective to present individual alerts to the intrusion detection analyst (analyst, for short). As a work-around, one typically correlates alerts into alert groups, i.e. groups of related alerts. Then, only the alert groups, but not their constituent alerts, are presented to the analyst. Unfortunately, it is a very difficult problem to find good correlation rules, i.e. good rules for grouping alerts into alert groups. This difficulty of finding good correlation rules arises because each deployment of intrusion detection systems (IDSs) triggers a unique and site-specific mix of alerts. This mix is site-specific because it depends on the IDSs installed, the topology of the site, software installed at the site, and many other characteristics of the site.
The conventional solution consists in manually crafting and tweaking site-specific correlation rules. Clearly, this solution is costly and error-prone.
This text describes a framework for automatically finding site-specific correlation rules, while aging and discarding old ones. This vastly reduces the cost and error-potential of correlation.
2. Summary of the Idee
The main ideas can be summarized as follows:
(1) Apply data mining to extract human-understandable alert patterns (HUAPs) from the alerts triggered by one
or several IDSs.
--> Note: A HUAP is meaningful to and interpretable by an analyst; that's what "human-understandable" means.
(2) Use these HUAPs as correlation rules, i.e. match all incoming alerts against the library of HUAPs
Once a HUAP has been instantiated (i.e. all its constituent alerts have been matched by incoming
alerts), the correlation engine triggers a meta...