This section outlines a procedure for meta-alert generation based on the aforementioned concepts and functions. We first describe the overall approach and then present its steps in two scenarios.
4.1 Overview
Our procedure reads in a sequence of alerts from one or multiple IDSs. The first step is to form groups from these incoming alerts as outlined in Section
3.3.1. Unfortunately, manually specifying
δ as the maximum allowed interval time between alerts is non-trivial, because it requires a high amount of knowledge about alert interactions and expected attack pattern structures. Even worse, different alert patterns may require specific settings for
δ that are incompatible with each other. To resolve this issue, we carry out group formation in parallel for several values
δ ∈
Δ similar to Figure
3, where
Δ is the set of all values for
δ. This increases the chance that valid and usable meta-alerts are found for various types of attacks. In addition, it forms a hierarchical structure of alert patterns, where small
δ values generate groups that contain mainly technically linked alerts, e.g., a failed login alert that occurs simultaneously with a frequency alert for such events, and groups generated by large
δ values that contain sequentially executed attack steps [
15]. For simplicity, we only use
δ in the following and implicitly assume that all computations are carried out for all
δ ∈
Δ analogously.
We define a set of meta-alerts
\( \mathcal {M}_\delta \) that holds merged groups. Note that the index
δ indicates that meta-alerts are generated for all
δ values separately, i.e., groups formed by different
δ values are not merged together. The reason for this is that merging groups that were partially formed from the same alert occurrences may lead to overly generalized meta-alerts and thus loss of information. For example, consider the groups from Figure
3, where group
\( \left(\square , \triangledown , \circ \right) \in \mathcal {G}_{2.5} \) and group
\( \left(\ --, \square , \triangledown , \circ \right) \in \mathcal {G}_{3.5} \) contain three identical alerts and may thus be considered similar enough for merging. This is not desirable, since the resulting merge will involve the alert type − −, which is not part of the actual attack pattern
\( \left(\square , ⧖ , \circ \right) \) that is the result of merging
\( \left(\square , \triangle , \circ \right) \in \mathcal {G}_{2.5} \) and
\( \left(\square , \triangledown , \circ \right) \in \mathcal {G}_{2.5} \) . Such cascading merges occurring over different
δ values could mostly be prevented by prohibiting merges of groups that contain identical alert instances. However, to avoid this issue altogether and to enable a thorough evaluation for each
δ value, we process all meta-alerts sets
\( \mathcal {M}_\delta \) isolated.
A new group \( g \in \mathcal {G}_\delta \) is incrementally added to the set of meta-alerts \( \mathcal {M}_\delta \) by finding the meta-alert \( m \in \mathcal {M}_\delta \) with the highest similarity, i.e., \( sim = max_{m \in \mathcal {M}_\delta }(group\_sim(g, m)) \) . If the similarity is higher than a predefined threshold θgroup ∈ [0, 1], i.e., sim ≥ θgroup, the group is added to the most similar meta-alert m, otherwise a new meta-alert is generated for this group.
It is not recommended to merge group g and meta-alert m directly, i.e., \( m = group\_merge(\left\lbrace g, m \right\rbrace) \) , because this causes that meta-alerts over-generalize over time. The reason for this is that a single incorrect allocation of a group to a meta-alert extends mergelists of attributes or introduces wildcards, which will increase the similarity of the meta-alert to all other groups and thus make it more susceptible to incorrect allocations in a self-enforcing loop. As a solution, we store allocated groups for each meta-alert in a so-called knowledge base \( \mathcal {K}_\delta \) , where \( K_m \subseteq \mathcal {K}_\delta \) is the set of all groups allocated to meta-alert m. For group g and meta-alert m where sim ≥ θgroup, we therefore update the knowledge base Km⇐g and regenerate meta-alert \( m = group\_merge(K_m) \) from all groups. The advantage of this strategy is that it allows to generate meta-alerts from more than two groups at the same time, which is more robust against single group misallocations since attribute merging can be based on majority decision or predefined minimum occurrences. In addition, it allows to adapt group allocations in the knowledge base, e.g., reallocate individual groups that turn out to be incorrectly classified without the need to remove the meta-alert, split one meta-alert m into multiple meta-alerts by extracting subsets of Km, or merge meta-alerts by unifying their groups.
Storing all identified groups in the knowledge base is usually infeasible in practice due to limited available memory as well as increasing runtime for merging larger amounts of groups. We therefore use a queue to enable the following strategies for storing groups in each \( K_m \subseteq \mathcal {K}_\delta \) :
•
Unlimited storage. This strategy implies that queue sizes grow indefinitely. Such a strategy is useful for forensic analyses, where the total number of groups is limited and known to be sufficiently small, and it is thus possible to store all groups.
•
Linear storage. With this strategy, the size of the queues is limited. Once the queue is full, adding a new group will cause the oldest group in the queue to be removed.
•
Logarithmic storage. First, the queue is filled to its maximum size. Then, any newly added group will replace the last group with probability 1/2, move the last group one position lower with probability 1/4, move each of the last two groups one position lower with probability 1/8, etc. This ensures that groups at the beginning of the queue remain in the queue for a longer time span and that the groups stored in the queue collectively represent a more diverse set. This strategy is therefore especially useful when related alerts are expected to occur over long time intervals, e.g., when they are collected from different environments.
In the next section, we show the individual steps of the procedure by two application cases. For simplicity, we assume that the unlimited storage strategy is used and thus treat each Km as a set.
4.2 Scenarios
We select two scenarios to explain the approach for meta-alert generation in the following. The first scenario is displayed in Figures
5(a)–
5(d) and deals with reusing meta-alerts for classification of alerts occurring on other systems. Thereby, each of the figures depicts the state of the incremental alert aggregation framework at a specific point in time. Moreover, we constructed the figures to show the alert occurrences
\( \mathcal {A} \) and the formed groups
\( \mathcal {G}_\delta \) in the bottom, the generated meta-alerts
\( \mathcal {M}_\delta \) in the center, and the knowledge base
\( \mathcal {K}_\delta \) in the top. Note that in each of these blocks we display two sections, one for a
δlarge value (top) and one for a
δsmall value (bottom), where
δlarge >
δsmall. For simplicity, we focus only on groups generated by the
δlarge value in the first scenario.
Figure
5(a) depicts the state of the framework after one group
g1 = (□, △, ○, □, △, ○) was formed for
δlarge, i.e., the time passed after the last alert occurrence exceeds
δlarge. Since no meta-alerts exist at this point, a new meta-alert
m1 is created by instantiating group
\( K_{m_1} \Leftarrow g_1 \) so that
\( K_{m_1} = \left\lbrace g_1 \right\rbrace \) in the knowledge-base as indicated by step (1), and generating meta-alert
\( m_1 = group\_merge(K_{m_1}) \) as indicated by step (2). Note that meta-alert
m1 involves the same alert sequence with identical attributes as group
g1, but all values are represented as mergelists as outlined in Section
3.4.1.
Figure
5(b) depicts the occurrence of another group
g2 = (□, △, ○, □, △, ○) on system A. Step (3) shows that the similarity between
g2 and each
\( m \in \mathcal {M}_\delta \) is computed, in particular, only the similarity
\( sim_{g_2} = group\_sim(g_2, m_1) \) is computed since only
\( m_1 \in \mathcal {M}_\delta \) exists. Due to the fact that both groups
g1,
g2 involve the same alert sequence, we assume that their similarity exceeds a predefined threshold
θgroup, i.e.,
\( sim_{g_2} = group\_sim(g_2, m_1) \ge \theta _{group} \) , indicating that
g1 relates to the same root cause as
m1 and should therefore be aggregated. Figure
5(c) shows that this is achieved by adding group
g2 to the knowledge base storing the groups allocated to
m1, i.e.,
\( K_{m_1} \Leftarrow g_2 \) so that
\( K_{m_1} = \left\lbrace g_1, g_2 \right\rbrace \) , as indicated by step (4). Adding a group to
\( K_{m_1} \) triggers a regeneration of meta-alert
m1 as indicated by step (5), i.e.,
\( m_1 = group\_merge(K_{m_1}) \) . Assuming that all alerts in groups
g1,
g2 have the same attributes and values, the resulting meta-alert
m1 remains unchanged.
Figure
5(d) displays group
g3 = (□, △, ○, □, ▽, − −) occurring in system B at some point after
m1 is generated from alerts on system A. Step (6) depicts the similarity computation
\( sim_{g_3} = group\_sim(g_3, m_1) \) . Note that only the first four out of six alerts in
m1 and
g3 are identical, while the fifth alert ▽ of
g3 is a variation of alert △ in
m1 and the sixth alert is of a different type. If the similarity is sufficiently high, i.e.,
\( sim_{g_3} \ge \theta _{group} \) , the occurrence of the group is interpreted as a detection of the attack represented by
m1. Otherwise, the group is assumed to depict a new unknown attack, causing that a new meta-alert is generated from group
g3 similar to steps (1)–(2).
The procedure for groups identified for
δsmall is indicated by dashed arrows and works analogously. Figures
5(a)–
5(c) show that four groups occurring on system A are iteratively added to the knowledge base
\( K_{m_2} \) and are merged to a single meta-alert
m2 = (□, △, ○). Figure
5(d) shows that two groups are identified for
δsmall, of which one comprises the same alert sequence as meta-alert
m2 and is thus similar enough to yield a successful detection of the same attack pattern, while the other group is rather dissimilar and could therefore lead to the generation of a new meta-alert.
The second scenario is visualized in Figures
6(a)–
6(d) and focuses on merging alert groups across systems. For simplicity, the following description focuses on groups generated by the
δsmall value. Similar to the first scenario, steps (1) and (2) in Figure
6(a) indicate the generation of meta-alert
m1 from the first group
g1 = (○, △, ○, △) on system A, so that
\( K_{m_1} = \left\lbrace g_1 \right\rbrace \) . As shown in Figure
6(b), the difference to the first scenario is that group
g2 = (○, ▽, ○, ▷) in system A has variations of alert type △ occurring in the second and fourth alert. For the sake of example, we consider alert types
PLX −
left{△, ▽, ▷, ◁
PLX −
right} to be similar alerts with the same set of attributes but different values in one specific attribute, e.g., a different user name (cf. Section
3.4.1). Despite these variations, group
g2 involves similar alert types and therefore yields a sufficiently high similarity, i.e.,
\( sim_{g_2} = group\_sim(g_2, m_1) \ge \theta _{group} \) . As a consequence, group
g2 is added to the knowledge base of meta-alert
m1 in step (3), i.e.,
\( K_{m_1} \Leftarrow g_2 \) so that
\( K_{m_1} = \left\lbrace g_1, g_2 \right\rbrace \) , which is in turn used to update meta-alert
\( m_1 = group\_merge(K_{m_1}) \) as indicated by step (4). Since the resulting meta-alert
m1 is a merge of groups
g1,
g2, its second alert is a merge of alert types
PLX −
left{△, ▽
PLX −
right} and its fourth alert is a merge of alert types
PLX −
left{△, ▷
PLX −
right}.
Different to the first scenario, alert groups from system B are used to generate a cross-system meta-alert. Figure
6(c) shows group
g3 = (○, △, ○, △), which involves alerts △ on the second and fourth positions. Since △ is part of the aggregated alerts of meta-alert
m1, similarity
\( sim_{g_3} = group\_sim(g_3, m_1) \ge \theta _{group} \) is high and the group is thus added to
\( K_{m_1} \) . While also the second alert ▽ of group
g4 = (○, ▽, ○, ◁) yields a perfect match with the second alert ⧖ of meta-alert
m1, the fourth alert ◁ of group
g4 is not part of
m1 and thus slightly decreases similarity
\( sim_{g_4} = group\_sim(g_4, m_1) \) , which is nonetheless assumed to exceed
θgroup since all other alerts match. Therefore,
\( K_{m_1} \Leftarrow g_4 \) so that
\( K_{m_1} = \left\lbrace g_1, g_2, g_3, g_4 \right\rbrace \) as indicated by step (5). Note that in all four groups, the second alert is one of
PLX −
left{△, ▽
PLX −
right}, and the fourth alert is one of
PLX −
left{△, ▷, ◁
PLX −
right}. When generating
m1 after updating
\( K_{m_1} \) in step (6), the affected attribute of the fourth alert is therefore replaced with a wildcard so that
\( m_1 = \left(\circ , ⧖ , \circ , ⁎\right) \) . Since the wildcard matches all values, both groups
g5,
g6 displayed in Figure
6(d) yield perfect matches with
m1, even though alert ▽ in
g6 does not occur in any group of
\( K_{m_1}\!. \) Inspecting meta-alert
m2 in Figure
6(d) that was generated by groups of system A and system B using
δlarge shows that the sequence of merged alerts differs from
m1, e.g., alert types △ and ▽ occur instead of alert type ⧖. Since this scenario depicts just an exemplary demonstration that is not based on real alerts, it is not possible to determine which of the meta-alerts
m1,
m2 is better suited for detection. However, both scenarios suggest that it is reasonable to consider multiple values for
δ to generate several different meta-alerts that cover a large variety of attack manifestations.