A Hierarchical Security Event Correlation Model for Real-Time Threat Detection and Response

Maosa, Herbert, Ouazzane, Karim ORCID: 0000-0002-7129-5809 and Ghanem, Mohamed Chahine ORCID: 0000-0002-7067-7848 (2024) A Hierarchical Security Event Correlation Model for Real-Time Threat Detection and Response. Network, 4 (1). pp. 68-90.

PDF
network-04-00004.pdf - Open Access published version
Download (712kB) | Preview

Official URL: http://dx.doi.org/10.3390/network4010004

Abstract

<jats:p>An intrusion detection system (IDS) perform postcompromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analyzed and triaged by security analysts. This process is largely manual, tedious, and time-consuming. Alert correlation is a technique that reduces the number of intrusion alerts by aggregating alerts that are similar in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the IDS has already generated a high volume of alerts. These third-party systems add to the complexity of security operations. In this paper, we build on the highly researched area of alert and event correlation by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an intrusion detection system. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for events rather than alerts as is the case in the current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on standard intrusion detection sets. The correlation achieves an 87% data reduction through aggregation, producing nearly 21,000 clusters in about 30 s.</jats:p>

Item Type:	Article
Divisions:	Faculty of Science and Engineering > School of Electrical Engineering, Electronics and Computer Science
Depositing User:	Symplectic Admin
Date Deposited:	13 Feb 2024 10:51
Last Modified:	09 Apr 2024 07:13
DOI:	10.3390/network4010004
Related URLs:	Publisher
URI:	https://livrepository.liverpool.ac.uk/id/eprint/3178620