A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs

Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts as accurately and efficiently as possible but also to be able to boost the model in the course of time. The model presented in this paper consists of two parts: (1) an attack graph-based method to correlate alerts raised for known attacks and hypothesize missed alerts and (2) a similarity-based method to correlate alerts raised for unknown attacks which can not be correlated using the first part and also to update the attack graph. These two parts cooperate with each other such that if the first part could not correlate a new alert, the second part is applied. We propose two different methods for these two parts. In order to update the attack graph, we present a technique (using the similarity-based method in the second part of the model) which is actually the most salient feature of our model: capability of hypothesizing missed exploits and discovering defects in pre and post conditions of known exploits in attack graphs. We also propose an additional method named alerts bisimulation for compressing graphs of correlated alerts. The results of experiments on DARPA2000 clearly show the model can accurately correlate alerts. Also the ability of updating attack graphs is illustrated using an experiment. (C) 2011 Elsevier B.V All rights reserved.