2nd International ICST Conference on Security and Privacy in Comunication Networks

Research Article

A Flexible Approach to Intrusion Alert Anonymization and Correlation

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359544,
        author={Dingbang Xu  and Peng  Ning},
        title={A Flexible Approach to Intrusion Alert Anonymization and Correlation},
        proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2007},
        month={5},
        keywords={},
        doi={10.1109/SECCOMW.2006.359544}
    }
    
  • Dingbang Xu
    Peng Ning
    Year: 2007
    A Flexible Approach to Intrusion Alert Anonymization and Correlation
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOMW.2006.359544
Dingbang Xu 1,,*, Peng Ning1,*
  • 1: Cyber Defense Laboratory, Department of Computer Science, North Carolina State University
*Contact email: dxu@ncsu.edu, pning@ncsu.edu

Abstract

Intrusion alert data sets are critical for security research such as alert correlation. However, privacy concerns about the data sets from different data owners may prevent data sharing and investigation. It is always desirable and sometimes mandatory to anonymize sensitive data in alert sets before they are shared and analyzed. To address privacy concerns, in this paper we propose three schemes to flexibly perform alert anonymization. These schemes are closely related but can also be applied independently. In Scheme I, we generate artificial alerts and mix them with original alerts to help hide original attribute values. In Scheme II, we further map sensitive attributes to random values based on concept hierarchies. In Scheme III, we propose to partition an alert set into multiple subsets and apply Scheme II in each subset independently. To evaluate privacy protection and guide alert anonymization, we define local privacy and global privacy, and use entropy to compute their values. Though we emphasize alert anonymization techniques in this paper, to examine the utility of data, we further perform correlation analysis for anonymized data sets. We focus on estimating similarity values between anonymized attributes and building attack scenarios from anonymized data sets. Our experimental results demonstrated the effectiveness of our techniques