An Architecture for Alert Correlation Inspired By a Comprehensive Model of Human Immune System

Full Text (PDF, 591KB), PP.47-57

Views: 0 Downloads: 0


Mehdi Bateni 1,* Ahmad Baraani 2

1. Sheikhbahaee University, Isfahan, Iran

2. University of Isfahan, Isfahan, Iran

* Corresponding author.


Received: 3 Apr. 2014 / Revised: 5 Jul. 2014 / Accepted: 15 Sep. 2014 / Published: 8 Nov. 2014

Index Terms

Alert Correlation, Intrusion Detection System (IDS), Artificial Immune System (AIS), Danger Theory


Alert correlation is the process of analyzing, relating and fusing the alerts generated by one or more Intrusion Detection Systems (IDS) in order to provide a high-level and comprehensive view of the security situation of the system or network. Different approaches, such as rule-based, prerequisites consequences-based, learning-based and similarity-based approach are used in correlation process. In this paper, a new AIS-inspired architecture is presented for alert correlation. Different aspects of human immune system (HIS) are considered to design iCorrelator. Its three-level structure is inspired by three types of responses in human immune system: the innate immune system's response, the adaptive immune system's primary response, and the adaptive immune system's secondary response. iCorrelator also uses the concepts of Danger theory to decrease the computational complexity of the correlation process without considerable accuracy degradation. By considering the importance of signals in Danger theory, a new alert selection policy is introduced. It is named Enhanced Random Directed Time Window (ERDTW) and is used to classify time slots to Relevant (Dangerous) and Irrelevant (Safe) slots based on the context information gathered during previous correlations. iCorrelator is evaluated using the DARPA 2000 dataset and a netForensics honeynet data. Completeness, soundness, false correlation rate and the execution time are investigated. Results show that iCorrelator generates attack graph with an acceptable accuracy that is comparable to the best known solutions. Moreover, inspiring by the Danger theory and using context information, the computational complexity of the correlation process is decreased considerably and makes it more applicable to online correlation.

Cite This Paper

Mehdi Bateni, Ahmad Baraani, "An Architecture for Alert Correlation Inspired By a Comprehensive Model of Human Immune System", International Journal of Computer Network and Information Security(IJCNIS), vol.6, no.12, pp.47-57, 2014. DOI:10.5815/ijcnis.2014.12.06


[1]A. Ghorbani, W. Lu, and M. Tavallaee. Network Intrusion Detection and Prevention. Springer, New York, 2010.
[2]F. Valeur, G. Vigna, C. Kruegel and R. Kemmerer. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 2004. p.153-172.
[3]M. Bateni, A. Baraani, A. Ghorbani and A. Rezaei. An AIS-inspired Architecture for Alert Correlation. International Journal of innovative Computing, Information & Control, 2013. 9(1):p. 231-255.
[4]L.N. de Castro and J. Timmis. Artificial Immune Systems: A new computational intelligence approach. Springer-Verlag London Berlin Heidelberg, 2002.
[5]P. Matzinger. Tolerance, danger and the extended family. Annual Review in Immunology, 1994. 12(1):p.991-1045.
[6]A.Watkins, J. Timmis, L. Boggess. Artificial immune recognition system (airs): An immune-inspired supervised learning algorithm. Genetic Programming and Evolvable Machines, 2004. 5(3):p. 291-317.
[7]S.T. Eckmann, G. Vigna, R.A. Kemmerer. Statl: An attack language for state-based intrusion detection, Journal of Computer Security, 2002. 10(1-2):p. 71.
[8]F. Cuppens, R. Ortalo. Lambda: A language to model a database for detection of attacks. Recent Advances in Intrusion Detection Lecture Notes in Computer Science, Springer Berlin / Heidelberg, 2000. 1907:p. 197-216.
[9]E. Totel, B. Vivinis. A language driven intrusion detection system for event and alert correlation. Security and Protection in Information Processing Systems, 2004. 147:p.208-224.
[10]O. Dain, R. Cunningham. Fusing a heterogeneous alert stream into scenarios. Proceeding of the 2001 ACM Workshop on Data Mining for Security Applications. p.1-13.
[11]L. Wang, A. Ghorbani, Y. Li. Automatic multi-step attack pattern discovering. International Journal of Network Security, 2010. 10(2):p. 142-152.
[12]P. Ning, Y. Cui and D.S. Reeves. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security, 2004. 7(2):p.274–318.
[13]S. Cheung, U. Lindqvist, M. Fong. Modeling multistep cyber attacks for scenario recognition. DARPA Information Survivability Conference and Exposition, 2000. p.284-292.
[14]F. Cuppens, A. Miege. Alert correlation in a cooperative intrusion detection framework. IEEE Symposium on Security and Privacy, 2002. p.202.
[15]X. Qin. A Probabilistic-Based Framework for INFOSEC Alert Correlation, Ph.D. thesis, Georgia Institute of Technology, 2005.
[16]H. Ren, N. Stakhanova and A. Ghorbani. An online adaptive approach to alert correlation. Volume 6201 of Lecture Notes in Computer Science, Springer Berlin / Heidelberg, 2010, p.153-172.
[17]B. Zhu and A. Ghorbani. Alert correlation for extracting attack strategies. International Journal of Network Security, 2006. 3(3):p.244-258.
[18]R. Sadoddin, A. Ghorbani. An incremental frequent structure mining framework for real-time alert correlation. Computer Security, 2009. 28(3-4):p.153-173.
[19]S.A. Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security, PhD thesis, University of New Mexico, 1999.
[20]A. Uwe, C. Steve. The Danger Theory and Its Application to Artificial Immune Systems. First International Conference on Artificial Immune Systems (ICARIS-2002), Canterbury, UK, 2002.
[21]H. Ahmadinejad and S. Jalili. Alert Correlation Using Correlation Probability Estimation and Time Windows. In proceedings of the 2009 International Conference on Computer Technology and Development, IEEE Computer Society ICCTD '09, 2009. p.170-175.
[22]M. Bateni, A. Baraani. Time Window Management for Alert Correlation using Context Information and Classification. International Journal of Computer Network & Information Security, 2013. 5(11):p.9-16.
[23]Y. Yohannes and J. Hoddinott. Classification and Regression Trees: an introduction. Technical guide, International Food Policy Research Institute (IIFPRI), 1999.
[24]MIT Lincoln Laboratory. Darpa2000 intrusion detection scenario specific data sets. (last accessed May 2014).
[25]netForensics Honeynet team. Honeynet traffic logs. (last accessed May 2014).
[26]S.O. Al-Mamory, H.L.Zhang. Building Scenario Graph Using Clustering. Proceedings of the 2007 International Conference on Convergence Information Technology, IEEE Computer Society, 2007. p.799-804.