Dingbang Xu
North Carolina State University
USA
Peng Ning
North Carolina State University
USA
With the increasing security threats from infrastructure attacks such as worms and distributed denial of service attacks, it is clear that the cooperation among different organizations is necessary to defend against these attacks. However, organizations' privacy concerns for the incident and security alert data require that sensitive data be sanitized before they are shared with other organizations. Such sanitization process usually has negative impacts on intrusion analysis (such as alert correlation).
To balance the privacy requirements and the need for intrusion analysis, we propose a privacy-preserving alert correlation approach based on concept hierarchies. Our approach consists of two phases. The first phase is entropy guided alert sanitization, where sensitive alert attributes are generalized to high-level concepts to introduce uncertainty into the dataset with partial semantics.
To balance the privacy and the usability of alert data, we propose to guide the alert sanitization process with the entropy or differential entropy of sanitized attributes. The second phase is
sanitized alert correlation. We focus on defining similarity
functions between sanitized attributes and building attack scenarios
from sanitized alerts. Our preliminary experimental results demonstrate the effectiveness of the proposed techniques in terms of various measures (e.g., correct classification rates, false alert rates, and detection rates.).
Keywords: Intrusion Detection, Alert Correlation, Privacy