Mining and Ranking Incidents for High Priority Intrusion Analysis

Abstract

Threats and intrusions are increasing at an alarming rate, even though related technologies have observed rapid advancement. Hence, advanced threat analysis has become imperative to improve current technologies. These technologies are primarily designed to detect or predict threats and minimize the likelihood of damage. The goal of an efficient intrusion analysis is also to develop models unwavering to any external influences and produce optimized results. Several data mining techniques have been applied in these scenarios to detect both anomaly and misuse, predict possible attack paths, or generate attack models. Some consider determining the priority, an important criterion of alerts, using different characteristics of the attack scenarios. In this dissertation, novel priority-based alert mining techniques and a ranking model are proposed to prioritize sequences of alerts and to realize their actual effect which is often misunderstood due to the generic taxonomies used by detection systems. This dissertation has the following contributions: First, a novel data mining-based alert sequence mining technique is proposed to discover potential attacks from intrusion alerts. Intrusion detection systems maintain signatures of intrusions with a severity scale. This information has been leveraged predominantly in the proposed data mining-based alert association approach. This approach reduces the effort of post-processing alert sequences and calculating their severity when the relationship is established. Second, a non-redundant high priority association rules mining technique is proposed based on theories and background of non-redundant association rule mining. Such techniques are highly adopted to determine the correlation between items in sequences and to develop efficient prediction models with a reduced volume of derived data. Third, the above mining approaches facilitate the process of extracting severe incidents based on priority. However, severity levels determined by the detection system are generic; thus, their real consequences are hard to perceive. Multi-criteria decision making is a prominent research area to assess different alternatives. The proposed approach is equipped with a combination of MCDM techniques to further rank the prioritized threats based on several benchmarks. The novelty of our technique is to consider the priority level of alerts at prior stages of attack analysis and later determine the overall attack scenario.