An Ais-Inspired Architecture for Alert Correlation



Bateni M¹ ; Baraani A¹ ; Ghorbani A² ; Rezaei A³ Show Affiliations
Source: International Journal of Innovative Computing, Information and Control Published:2013

Abstract

There are many different approaches to alert correlation such as using correlation rules and prerequisite-consequences, using machine learning and statistical methods and using similarity measures. In this paper, iCorrelator, a new AIS-inspired architecture, is presented. It uses a three-layer architecture that is inspired by three types of responses in the human immune system: the innate immune system's response, the adaptive immune system's primary response, and the adaptive immune system's secondary response. In comparison with other correlators, iCorrelator does not need information about different attacks and their possible relations in order to discover an attack scenario. It uses a very limited number of general rules that are not related to any specific attack scenario. A process of incremental learning is used to encounter new attacks. Therefore, iCorrelator is easy to set up and work dynamically without reconfiguration. As a result of using memory cells and improved alert selection policy, the computational cost of iCorrelator is also acceptable even for online correlation. iCorrelator is evaluated by using the DARPA 2000 dataset and a netForensics honeynet data. The completeness, soundness, false correlation rate and execution time are reported. Results show that iCorrelator is able to extract the attack graphs with acceptable accuracy that is comparable to the best known solutions. © 2013 ICIC International.