Constructing Attack Scenario using Sequential Pattern Mining with Correlated Candidate Sequences *

Transcription

1 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 102 Constructing Attack Scenario using Sequential Pattern Mining with Correlated Candidate Sequences * Fatmah A.Bahareth Faculty of Computing and Information Technology King Abdulaziz University Jeddah, Saudi Arabia fbahareth@kau.edu.sa Omaima O. Bamasak Faculty of Computing and Information Technology King Abdulaziz University Jeddah, Saudi Arabia obamasek@kau.edu.sa ABSTRACT With the rise of cyber attacks, the amount of audited security data such as alerts produced from Intrusion Detection Systems (IDSs) are increased dramatically. The analysis and management of these massive amounts of alerts have become a critical and challenging issue. Alert correlation is a very useful approach to reduce the volume of alerts and discover multi-stage attack scenarios. In this paper we propose a framework to recognize multi-stage attack scenarios with their associated severity level in real time. Sequential mining algorithm is used to discover attacks patterns and predict upcoming attacks. To improve the accuracy of generated patterns, we incorporated candidate verification that calculates alerts correlativity while generating candidate attacks sequences. Simultaneously, the framework identifies severity rank of discovered multi-stage attack scenarios. Categories and Subject Descriptors Security and privacy Intrusion/anomaly detection and malware mitigation; Social and professional topics Computer crime. General Terms Reliability, Security, Verification. Keywords Real time alerts Correlation; multi-stage attack pattern; Candidate Verification; sequential mining; attack scenario severity. 1. INTRODUCTION With the increase reliance on technologies provided over Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Copyright 2013 Jordan ACM ISWSA open data networks in recent years, public and private organizations are facing a wide range of information threats. Cyber attacks threat is particularly challenging due to the variety and the constantly changing nature of hacker behavior, hacking methods, and network vulnerabilities. Cyber defense is inevitable in order to ensure reliable and secure communication and transmission of information. Intrusion Detection System (IDS) and Intrusion Prevention * System (IPS) are the major technologies dominating in the area of cyber defense. However, most IDSs fail to have good performance on detecting attacks that involve multiple steps. Alert correlation is a very useful mechanism to overcome this limitation and detect a complex and coordinated attacks. Up to now, there have been several techniques of alert correlation proposed to build attack scenarios from security alerts [13, 4]. However, most of these approaches depend on complex correlation rule definition and hard-coded domain knowledge that lead to their difficult implementation and limited capabilities of detecting new attack strategies. Some of these researches mentioned real-time correlation of security alerts to overcome the limitation on accuracy of discover intrusions offline because alert stream is dynamic, huge, infinite and rapidly changing [4, 5]. In this paper, a real-time framework is proposed to recognize multi-stage attack scenarios from alerts generated by IDS. The framework consists of two main components: online component and offline component. Our approach aims to increase the efficiency of recognizing multistage attack and predict next attack action by associating the recognition and prediction with the severity level of attack scenario to help network administrators to launch appropriate response to stop attacks and prevent them from escalating. We use sequential pattern mining technique with the GSP algorithm as in reviewed studies as this process is done offline. But our approach differs from other works in selecting candidate sequences as input to GSP algorithm. We calculate the correlativity between alerts in each candidate attack sequence to verify that all alerts belong to the same attack scenario [2]. The remainder of this paper is organized as follows. The next section discusses the related work. Section 3 presents * Research supported by King Abdulaziz City for Science and Technology (KACST). Research No:T-t from Graduate Scholarship Program.

2 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 103 RMARS Framework with its modules and algorithms. Section 4 mentions the implementation environment and experiment dataset. Finally, Section 5 summarizes the paper and suggests future work. 2. RELATED WORKS 2.1. Multistage attack plan Recognition The research on alert correlation has been carried out for several years and there have been several proposed techniques to analyze attack scenarios from security alerts. Recently, most researches focus on performing alert correlation and building attack scenario in real-time to detect ongoing attack as soon as possible. In [1], a real time multistage attack recognition system based on prerequisites consequence technique is proposed. Also [14] use an on-line prerequisite-consequence-based correlation method to analyze and discover attack scenario behind alerts. Correlating alerts based on prerequisites and consequences of attacks have great advantages in detecting complicated attack processes. However, it must depend on complicated rules and background knowledge base and has some limits in discovering new attacks. Moreover, if the knowledge base is incomplete or an attacker deliberately omits middle steps, it may also affect the efficiency of correlation and lead to incomplete attack scenarios. Using sequential pattern miming to find out attack activity patterns solves the problem of complex correlation rule. It is efficient in finding out the attacks patterns that does not need a prior knowledge to detect the attack scenarios patterns. Many studies using this method as in [4], the sequential pattern mining algorithm named Apriori All is presented in real-time alert correlation system to find out the frequency and sequence features in attack behaviors. Also, MASP (Mining Attack Sequential Pattern) algorithm proposed in [13] to mine frequent attack sequential patterns from candidate attack sequences. It is a reformative Apriori All algorithm. In [5], a real-time alert stream clustering algorithm and sequential pattern mining algorithm GSP are used to generate attack sequential patterns which are stored as rules for recognizing the attack plans of the attackers. Within the same line, [11] proposed multi-step attack correlation method that has two components. First component mines multi-step attack activity patterns with attack sequential pattern mining method from history aggregated high level alert. The second component matches the events online to identify the events which accord with certain attack sequential pattern and correlate them using a quantitative method. The reviewed works above that applied sequential pattern mining in multi-stage attack choose the candidate attack sequence using time window with randomly chosen start time over the global attack scenario. Each time take a candidate sequence by shifting one alert forward regarding the previous one and take alerts within this time window. Using this method increase the number of candidate sequence with redundancy, also there is no guarantee that alerts within candidate attack sequence belong to the same attack scenario which is decrease the accuracy of patterns mined by sequential pattern algorithm Severity of Attack Scenario In alert correlation process there is a phase that ranking and prioritizing alerts triggered by IDS to improve the quality of alerts and eliminate false positive ones. In [3], Jinqiao Yu et al. evaluates alerts based on the vulnerability knowledge base and the applicability of the attack against the protected network. Similarly, Qin and Lee [7] compute the alert priority score based on the severity of the corresponding attack and the relevance of the alert to the protected networks and hosts. In [6], Porras et al proposed a mission-impact-based approach to the analyze the security alerts produced by heterogeneous security devices, called the M-Correlator. It is used to generate a topology map of the protected network. After that, M- Correlator develops a relevant score that assesses per alert, the likelihood of successful intrusion. All these works focus on ranking and prioritize alerts which are considered as a single stage of attack scenario. Recently there are some studies concern about multistage attack scenario detection and calculation of their severity and how much attack scenario may be harmful the protected network. In [8], Jin SHI, Guangwei HU, Mingxin LU and Li XIE presented a new network security quantitative analysis method, called ACRL (Assessment of Credibility, Risk and the Loss of system), which assesses the attack sequences from three aspects: credibility, risk and the loss of system. These metrics evaluated from the factors of alert credibility, self risk levels of alert, node values, service values, etc. ACRL can effectively help security managers to adjust the appropriate security mechanisms and choose the best response to the security incidents. Another new approach proposed in [9] to extracts the critical single-step or multi-step attacks based on expert knowledge that are represented with a Decision Tree. The Decision Tree is constructed about critical servers and services in the network. Source and destination IP address, attack type, destination port number, priority of attack and sequence of alerts are considered to decide the criticality of an attack. 3. RMARS FRAMEWORK The proposed RMARS (Real Time Multistage Attack Recognition System) framework in this paper is similar to frameworks proposed in [5] and [1]. We add our enhancement in the implementation of attacks sequential patterns analysis and multi-stage attack recognition modules. The RMARS framework, shown in Figure 1, consists of two main components: online component and offline component. Online component receives generated alerts from IDS sensors and recognize multi-stage attack in real time. Three modules are involved to accomplish this task: Alert Aggregation Module which receives raw alerts from IDS sensors and generates hyper alerts, Alert Verification that ranks hyper alerts to identifies whether an attack resulting in hyper alert is successful or not, and Multistage Attack Recognition Module that matches real time hyper alerts pattern generated from alert aggregation and verification modules with attack patterns in attack strategy model database. The attack strategy model has built by Offline component which consists of alert correlation module and two databases. Alert Correlation Module mines attack sequence patterns that may occur within specified time window and builds Attack

3 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 104 Definition 2. A hyper-alert for a set of lower-level alert objects A={a 1, a 2,. a n }; is identified by one of the three types defined as follows: Type-I: i,j(i j, 0< i,j <n) a i.srcip = a j.srcip&&a i.dstip = a j.dstip&&a i.sigid=a j.sigid Type-II: i,j(i j, 0<i,j<n) ai.srcip = aj.srcip&&ai.dstip aj.dstip&&ai.sid=aj.sigid Figure 1. Proposed Solution Framework Scenario Tree (AST) from generated frequent sequence patterns. The two databases are Hyper Alert Database that saves a copy of the Hyper Alerts generated by online component and Attack Strategy model Database that stores the Attack Scenario generated by alert correlation module to be used as rules to recognize the attack plans of the attacker or even predict the next step the attacker will take [2]. The following subsections give a brief explanation about proposed framework modules Alert Aggregation The purpose of this step is to reduce the number of alerts produced by IDS sensors. Alerts fall in the same time window can be merged into hyper alerts according to the similarity of some of their attribute features. Event time window defines the time interval within which all the alerts aroused by same security event are interspersing. So when aggregate the alerts together, those which fall into the same event time window can be considered to aggregate into a hyper alert. Alerts that have same attack type and occur in a certain time interval are combined into three types of hyper alerts according to the similarity of IP address attribute. [5,11]. We used the same algorithm proposed in [5]. Hyper alert is defined as follows [2]: Definition 1. A hyper-alert HA, generated by merging, is a set of lower-level alert objects A={a 1, a 2,. a n }; where each lower-level alert object a i represents either new elementary alert come from the stream or old hyper-alert already exists in memory queue as the result of former clustering. HA is a 10 tuple (HID, HSrcIP, HDstIP, HSrcPort, HDstPort, HSigID, Type, N, T s, T n ) where HID is assigned a unique number whenever the hyper-alert is created.; HSrcIP, HDstIPHSrcPort, HDstPort are source and destination IP address sets and source and destination port sets respectively; HSigID is the attack signature that inherited from the lower-level alert objects; the N denotes the number of lower-level alert objects maintained by the hyper-alert; T s is the timestamp of the earliest alert in hyper alert and T n is the is the timestamp of latest one. A new created hyper-alert can be labeled with the Type feature which defines as the following [5,2]: Type-III: i,j(i j, 0<i,j<n) ai.srcip aj.srcip&&ai.dstip = aj.dstip&&ai.sigid=aj.sigid 3.2. Alert Verification Alert verification is the process of verifying the success of attacks. It prioritizes each hyper alert based on its relevance to the mission goals. The goal of alert verification is to rank hyper alerts by compute their value of threat and then filter alerts with low degree of threat. The hyper alert rank calculated with respect to three factors: reliability, importance of victim and attack severity. Reliability computed by matching the alert target s topology, usually target's OS, with the known vulnerability requirements of the attack. Importance of Victim value specifies the weight of attack's target host based on its criticality. It is defined by network administrator based on some criteria such as: the services offered by target host, host location and type. The host gets high weight if running critical services such as Web server or Database while less if it just running FTP/TFTP services. And based on host Location the weight increased if the host close to backbone network or critical servers and become less if more far where almost low at DMZ. For host type, a high weight for example to Firewall, IDS/IPS or server and lower to official PC or printer. Attack Severity represents the amount of damage an attack can cause. In our work we take this value from priority field of an alert generated by IDS engine. The threat value of hyper alert is computed by combining the three factors with different weights according to the situation of protected as in the following equation: Such that Rw, Iw and Sw are the Wight of reliability, importance of victim and attack severity factors respectively. For hyper alerts of Type II and Type III, the final threat value of highest alert of merged alerts. The hyper alert with low threat value indicates as unsuccessful and non-dangerous attack. For that the hyper alert with threat lower than a certain threshold is removed because it may leads to incorrect correlation sometimes [4] Alert Correlation and Mining Attack Pattern Alert correlation module mines attack activity patterns from history hyper alerts to discover multistage attack behavior patterns using GSP sequential pattern mining algorithm. The GSP algorithm is initially used for mining frequent sequential patterns in transaction database to discovery the customer purchase patterns. In our database, hyper alerts perform a single and long global alert sequence. Candidate sequences must be prepared to be an input to GSP algorithm [2]. All reviewed papers prepare candidate

4 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 105 sequences by divide the global attack sequence into a separate candidate hyper alerts sequences concerning time window WT as shown in Figure 2. Figure 2: Generating Candidate Attack Sequences Candidate sequences preparation with Wprocess T only focuses on the SigID and timestamp attributes in the hyper alerts. An integer numbers are used instead of hyper alerts to represent the candidate attack sequences to run GSP algorithm quickly, where each number is related to a certain SigID [2,4]. We enhanced the selection of candidate sequences by calculating the correlativity between hyper alerts in each sequence to verify generated candidate hyper alerts sequences and ensure that all alerts belong to the same attack scenario. Then, we apply sequential mining method GSP proposed by [10] to find attack sequential patterns from the candidate hyper alerts sequences stored in the database. The results from GSP algorithm can be transformed into rules automatically by constructing attack Scenario Tree (AST) Enhanced Candidate Sequences The selection of candidate sequences is enhanced using candidate verification method to increase the accuracy of the frequent sequences generated from GSP algorithm. This assumption will be tested in the experiments. In candidate verification method, the hyper alerts in each candidate sequence are correlated by calculate the alert correlativity between them. The alert correlativity score represents the correlation-ship and logical association between hyper alert pair. The larger the correlativity of two alerts means higher possibility that they belong to the same attack scenario. The correlativity between hyper alert h 1, h 2 is defined as Cor(h 1,h 2 ). Alerts h 1,h 2 are described by p attributes x 1, x 2, x 3,.x p,y 1, y 2,..y p respectively. The correlativity between h 1,h 2 is described as weighted sum of their attributes [6,14]: Step 2: if this is not the first sequence (seq 1) and the first hyper alert in seq i equal to the second alert in previous correlated sequence corr-seq i-1, then: - Remove first hyper alert from corr-seq i-1. - apply Seq-Corr on a subsequence from the last hyper alert in corr-seq i-1 to the end of seq i to result sub_corr and sub_uncorr - the correlated an uncorrelated sequence will be as following: corr-seq i = corr-seq i-1 + sub_corr uncorr-seq i = uncorr-seq i-1 + sub_uncorr Step3: if step2 condition did not materialize, apply Seq-Corr method to generate correlated candidate sequence (corr-seq i ) from current sequence. The rest hyper alerts perform another sequence (uncorr- seq i ) Step4: Take next candidate sequence (seq i+1 ) as normal candidate by shifting one alert from the head alert of current sequence seq i. Then go to sep2 End of algorithm Seq-Corr Method: It is based on correlativity calculation between two hyper alerts. As shown in Figure 3, at each time we correlate current hyper alert with its successor alerts until an alert with high correlativity is found, this alert will be the current hyper alert which needs to correlate with its successor alerts and so on. This process makes sure that all hyper alerts in candidate sequence are correlated, which leads to more reliable results from GSP algorithm as we suggest.,,,, Figure 3. Alert Correlation in Candidate Sequence Candidate verification Algorithm Input: long sequence database sorted by timestamp Output: candidate sequences (input to GSP Algorithm) Parameters: (corr-thrsh) alert correlation threshold, (Tw) sequence time window Step1: take first candidate sequence seq 1 from hyper alert h 1 to hyper alert h k such as T(h k )<=T(h 1 ) +Tw Do the following steps while seq i is nonempty

5 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 106 Seq-Corr Method: Input: sequence of hyper alerts seq i ={ h 1 h 2. h i h i+1..h k } Output: correlated candidate sequence corr-seq and uncorrelated candidate sequence uncorr-seq. Note: Cor(h i, h j ) function is used to calculate the correlation between two hyper alerts. Current-h=h1 While (not end of seq i ) h i = successor hyper alert of current-h While (Cor(Current-h, h i ) < corr-thrsh) h i = h i+1 //Go to the next hyper alert End while Add Current-h to corr-seq i, and remove them from seq i Current-h = h i End while uncorr-seq i = remaining hyper alerts seq i 3.4. Attack Scenario Tree Construction To represent frequent attack class sequences mined by GSP, AST (Attack Scenario Tree) is used. An attack behavior pattern describes the sequence of attack class corresponding to a series of alerts that appear in time order frequently. Each single attack class is represented as a node of AST. The nodes are connected by the directed edges. The path from the root node to a leaf node represents a complete attack scenario sequence with attack class as in Figure 4. The goal of constructing AST is to save the time of matching Figure 4. Attack Scenario Tree (AST) in real-time attack strategies recognition and make it more effective [2] Construct AST Algorithm: Input: attack sequence patterns Output: Attack Scenario Trees (ASTs) Steps: The ASTs are constructed in the following steps. 1. Scan the attack sequence patterns database once to retrieve all sequence patterns with length-1, arrange them in Trees Root array TR. 2. For each item i in array TR do the following: - Create a tree node with the value of TRi and set as current tree root. - Retrieve all sequences start with current root. - Scan retrieved sequences one by one to build ASTi 3.5. Multi-stage Attack Recognition This module is the core of online recognition of multi-stage attack. It performs matching and then determining if the multi-stage attack is critical or not. It consists of two submodules attack activity recognition and predication module and severity of attack scenario module. Analyzing attack sequential pattern is followed by building Attack Scenario Trees (ASTs) in offline component. These ASTs are used to recognize multi-stage attack in real time. In real time, the received alerts are processed as in the following algorithm to recognize attack scenario and predict Figure 5. flowchart of online hyper alert matching processing next step of attack associated with the severity rank of attack scenario Online Alerts Processing Algorithm: Our method uses the alert aggregation time window AgTw to collect and aggregate alerts, then verify them before matching with already built ASTs. Step1: whenever a new alert is received A k compare its timestamp with the timestamp of first alert A c in current time window, there are two cases: - If the A k.at A c.at >AgTw, then: apply Type II, Type III aggregation in current AgTw start new AgTw with A c = A k - If the A k.at A c.at <= AgTw, then continue applying Type I aggregation in current AgTw Step2: calculate hyper alert ranking to verify each hyper alert in current AgTw after applying Type II, Type III aggregation. Step3 apply pattern matching and calculate the severity of resulting pattern as to be explained in section Step4: at each time check if the severity of resulting pattern is greater than severity threshold then display pattern with predication and severity. Step5: if the pattern completes its time window, the detected multistage attack scenario is stored in database then is displayed to network administrator with its severity. Storing all detecting patterns in database table "Pattern History" helps network administrator to analyze the frequent detected patterns and adding new scenarios to AST.

6 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 107 In the process of matching incoming attack scenario with a specific path in AST, we incorporate the severity rank of matched AST paths in our prediction. Each time we match incoming attack scenario with mined scenarios, the rank of matched scenario is increased based on the severity level of incoming attack scenario sequence. This makes the system intelligent in a sense that it learns from previous attacks and predicts the next step of any incoming attack according to the most sever path in AST Attack Activity Recognition and Predication The recognition of attack scenario is done by calculating the correlativity between real time hyper alerts generated from verification model, then matching the resulting pattern with certain path in constructed AST to recognize the attack plans of the attackers or even predict the next step the attacker will take. Figure 5 shows the flowchart of online hyper alert matching process for attack activity recognition Severity of Attack Scenario While we correlate hyper alerts in online multi-stage attack recognition module, we determine the level of severity of recognized attack scenario sequence by finding the rank of each step in this sequence. In alert verification module, we calculate the rank of each hyper alert in attack sequence. Suppose that an attack sequence S={a 1, a 2,,a n } consists of n hyper alerts, that is a 1, a 2,,a n. If the severity rank of a i is r i, i = 1, 2,,n. the severity rank of attack scenario sequence S is calculated as in the following formula [8]: IMPLEMENTATION AND EXPERIMENTS The proposed Real Time Multistage Attack Recognition System (RMARS) is currently being implemented using Visual studio.net 2010 and SQL Server database. DARPA 2000 benchmark repository, scenario-specific dataset [15] is used in our experiments. DARPA2000 has been chosen as it is a well-known IDS evaluation dataset created by the MIT Lincoln Laboratory. It consists of two multistage attack scenarios LLDDOS1.0 and LLDOS2.02. We use Snort V.2.9.3[16] and playback technique (Open source tool Tcpreplay32 [17] to replay each of the LLDDOS1.0 and LLDDOS2.0.2 dataset separately. We have devised an experiment plan based on a comparative methodology to assess the effective of our contributions and evaluate RMARS s ability to detect multi-stage attack scenario and its severity. 5. CONCLUSION In this paper, we proposed a framework that discovers the severity level of multi-stage attack pattern and predict upcoming attack step in real time. We use attack sequential pattern mining to solve the problems of complex correlation rules definition and the unknown attack scenario recognition. Our contribution focuses on verified candidate sequences, by calculating the correlativity between each hyper alert pairs in a candidate sequence, before starting GSP algorithm to generate more accurate sequences. In addition, we assist the recognition and prediction of multistage attack by determining the severity rank of detected pattern. As a future work, we will conduct our planned experiments to test and evaluate the effectiveness of proposed framework. 6. REFERENCES [1] Alserhani, F., Akhlaq M., Awan I.U., Cullen A.J., Mirchandani P., "MARS: Multi-stage Attack Recognition System", 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), (2010). [2] Bahareth Fatmah, Bamasak Omaima, Improving Real Time Multi-stage Attack Recognition Using Sequential Mining Technique. International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM2012), Prague, Czech Republic, May (2012). [3] J. Yu, Y.V.R. Reddy, S. Selliah, S. Kankanahalli, S. Reddy, and V. Bharadwaj, "TRINETR: An Intrusion Detection Alert Management System", IEEE Computer Society Washington, DC, USA, 2004, pp [4] Li Zhi-tang, ZhangAifang, Lei Jie andwang Li, "Real-Time Correlation of Network Security Alerts" ICEBE '07 Proceedings of the IEEE International Conference on e- Business Engineering, (2007). [5] Ma Jie, Li Zhi-tang and Li Wei-ming, "Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies" Fifth International Conference on Fuzzy Systems and Knowledge Discovery, FSKD '08, vol.4, (2008).

7 The Research Bulletin of Jordan ACM, Volume II(III) P a g e 108 [6] Porras P.A., Fong M.W., and Valdes A., " A missionimpact-based approach to infosec alarm correlation", Recent Advances in Intrusion Detection: 5th Internatonal Symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: Proceedings (2002). [7] Qin X. and Lee W., "Statistical Causality Analysis of INFOSEC Alert Data", Springer,(2003). [8] SHI Jin, Guangwei. Hu;, Mingxin. Lu, Xie. Li "Intrusion Alerts Correlation Based Assessment of Network Security", International Conference of Information Science and Management Engineering (ISME), vol.2, 3-6 (2010) [9] Porras P.A., Fong M.W., and Valdes A., " A missionimpact-based approach to infosec alarm correlation", Recent Advances in Intrusion Detection: 5th Internatonal Symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: Proceedings (2002). [10] Srikant R and Agrawal R., "Mining sequential patterns: Generalizations and performance improvements", International Conference on Extending Database Technology, EDBT 96, Avignon, France, 3-17 (1996). [11] Wang Li, Ghorbani Ali A. and Li Yao, Automatic Multi-step Attack Pattern Discovering, International Journal of Network Security, vol.10, no.2, (2010). [12] Wang Li, Li Yao and Li Zhi-tang, "A novel technique of recognizing multi-stage attack behaviour", Int. J. High Performance Computing and Networking, Vol. 6, Nos. 3/4 (2010). [13] Wang Li, Li Zhi-tang, Li Dong and Lei Jie, "Attack scenario construction with a new sequential mining technique", Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, SNPD 07, vol.1, (2007). [14] Zhaowen Lin, Shan Li and Yan Ma, "Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence", 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM), 1-5 (2010). [15] MIT Lincoln Lab 2000 DARPA Intrusion Detection Scenario Specific Data Sets. Retrieved Feb 15, 2013, ora/ideval/data [16] Snort Intrusion Detection and Prevention System. Retrieved Feb 15, [17] Aaron Turner, Tcpreplay32 tools. Retrieved Feb 15,