Seminario “Alert Correlation in Large Data Streams” – Prof. Maryam Amir Haeri

Avviso di Seminario:

“Alert Correlation in Large Data Streams” – Prof. Maryam Amir Haeri

Giovedì 17/03 alle ore 12:00, presso la sala seminari dell’ICAR-CNR, nuova sede. (Cubo 7-11C, ex segreteria studenti, di fronte all’aula Magna, I piano)

When large networks with many sensors are analyzed, an excessive number of alerts can be issued. Managing and analyzing this amount of information is a difficult task. There may be many redundant or false positive alerts, which need to be discarded. Therefore, in order to extract useful information from these alerts, an alert correlation algorithm must be used, i.e., the process of producing a more abstract and high-level view of intrusion occurrences in the network starting from low-level IDS alerts. Alert correlation is also used to detect sophisticated multi-step attacks. Getting advantage of alert correlation, it is possible to detect complex attack scenarios out of alert sequences. In short, alert correlation can help the security administrator to reduce the number of alerts, to decrease the false-positive rate, to group alerts based on alert similarities, to extract attack strategies, and to predict the next step(s) of the attacks. Stream mining approaches and probabilistic graphical models are useful tools for alert correlation analysis. We propose an alert correlation system consisting of two major components. First, we introduce an Attack Scenario Extraction Algorithm (ASEA), which mines the stream of alerts for attack scenarios. The ASEA has a relatively good performance, both in speed and memory consumption. The ASEA combines both prior knowledge as well as statistical relationships. Second, we propose a Hidden Markov Model (HMM)-based correlation method of intrusion alerts, fired from different IDS sensors across an enterprise. We can also see the alert correlation as a big data problem. The alerts can be received from different sources, can be continuous, and it is important to deal with these huge amounts of alerts, in an online and fast manner. Thus, in this talk, we also discuss the big data aspects of alert correlation.

Short Bio:
Maryam AmirHaeri received her BSc and MSc degrees from Sharif University of Technology, Iran, in 2007 and 2009 respectively. She received her PhD degrees from Amirkabir University of Technology (Tehran Polytechnic), Iran, in 2014. From September 2011 to March 2012, she has been in ICAR-CNR as a PhD visiting student. Since 2015, she is assistant professor at Amirkabir University of Technology. Her research focuses on data mining, big data analytics, machine learning and evolutionary computations.