Alert correlation is an approach to analyze a huge number of security alerts received from network sensors. An alert correlation engine normalizes, fuses and clusters incoming alerts; then identifies relationships among them. Limitation of computing resources, like CPUs, makes such systems not satisfactory. In recent years, GPUs have been used in various fields, however, due to the dynamic nature of processes and data structures in alert correlation, correlation algorithms have not been implemented on the GPU. This paper presents a novel approach to implement alert correlation on the GPU. It focuses on alert aggregation, which is classified as a similarity-based alert correlation. This approach presents an online cooperative model which utilizes the processing power of CPUs and GPUs to aggregate security alert. This paper also presents the development of a toolkit named GTA2, which works as an assistant tool with Snort and provides online alert aggregation on alerts received. GTA2 takes advantage of unused processing power of existing GPU to aggregate security alerts generated by Snort. Evaluations illustrate the proposed method will improve the processing speed by 15 times.
K.-W.Chang, B.Deka, W.-M.W.Hwu and D.Roth, Efficient pattern-based time series classification on GPU, in: 2012 IEEE 12th International Conference on Data Mining, December 2012, 2012, pp. 131–140.
3.
H.T.Elshoush and I.M.Osman, Reducing false positives through fuzzy alert correlation in collaborative intelligent intrusion detection systems – A review, in: International Conference on Fuzzy Systems, 2010.
4.
N.-F.Huang, H.-W.Hung, S.-H.Lai, Y.-M.Chu and W.-Y.Tsai, A GPU-based multiple-pattern matching algorithm for network intrusion detection systems, in: 22nd International Conference on Advanced Information Networking and Applications – Workshops (AINA Workshops 2008), 2008.
5.
C.Hung, Y.Lin, K.Li, H.Wang and S.Guo, Efficient GPGPU-based parallel packet classification, in: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2011, pp. 1367–1374.
6.
N.Jacob, C.Ave and C.Brodley, Offloading IDS computation to the GPU, in: 22nd Annual Computer Security Applications Conference, ACSAC’06, 2006, pp. 371–380.
7.
K.I.Karantasis, E.D.Polychronopoulos and G.N.Dimitrakopoulos, Accelerating data clustering on GPU-based clusters under shared memory abstraction, in: 2010 IEEE International Conference on Cluster Computing Workshops and Posters (CLUSTER WORKSHOPS), September 2010, 2010, pp. 1–5.
8.
E.Kijsipongse, S.U-ruekolan, C.Ngamphiw and S.Tongsima, Efficient large Pearson correlation matrix computing using hybrid MPI/CUDA, in: 2011 Eighth International Joint Conference on Computer Science and Software Engineering, May 2011, 2011, pp. 237–241.
9.
D.Li, Z.Li, L.Wang and M.Roesch, Reducing false positives based on time sequence analysis, in: Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), 2007, pp. 67–71.
10.
C.Mei, H.Jiang and J.Jenness, CUDA-based AES parallelization with fine-tuned GPU memory utilization, in: 2010 IEEE International Symposium on Parallel & Distributed Processing, Workshops and PhD Forum (IPDPSW), 2010, pp. 1–7.
11.
M.Narimani, A.Nowroozi and P.Mahdinia,
A cooperative GPU-based approach for alert aggregation, International Journal of Computer and Information Technologies (IJOCIT)2(2) (2014), 416–425.
12.
A.Nottingham, GPF: A framework for general packet classification on GPU co-processors, Master’s thesis, Rhodes University, 2012.
13.
NVIDIA, CUDA C Best Practices Guide, 2010, available at: www.nvidia.com.
14.
J.Platos, P.Kromer, V.Snasel and A.Abraham, Scaling IDS construction based on non-negative matrix factorization using GPU computing, in: Sixth International Conference on Information Assurance and Security Scaling, 2010, pp. 86–91.
15.
S.Roschke, F.Cheng and C.Meinel, A flexible and efficient alert correlation platform for distributed IDS, in: Fourth International Conference on Network and System Security, 2010.
16.
S.Roschke, F.Cheng and C.Meinel, A new alert correlation algorithm based on attack graph, in: Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems (CISIS), June 2011, 2011, pp. 58–67.
17.
R.Smith, N.Goyal, J.Ormont, K.Sankaralingam and C.Estan, Evaluating GPUs for network packet signature matching, in: 2009 IEEE International Symposium on Performance Analysis of Systems and Software, April 2009, 2009, pp. 175–184.
18.
W.Sun and R.Ricci, Fast and flexible: Parallel packet processing with GPUs and click, in: ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2013.
19.
A.E.Taha and I.A.Ghaffar, Agent based correlation model for intrusion detection alerts, in: 2010 IEEE International Conference on Intelligence and Security Informatics (ISI), 2010, pp. 89–94.
20.
G.Tedesco and U.Aickelin, Real-time alert correlation with type graphs, in: Proceedings of the 4th International Conference on Information Systems Security (ICISS), 2008, pp. 173–187.
21.
The Shmoo Group, DefCon, available at: http://cctf.shmoo.com.
22.
A.Valdes and K.Skinner, Probabilistic alert correlation, in: SRI International, 2001, pp. 54–68.
23.
F.Valeur, Real-time intrusion detection alert correlation, PhD dissertation, University of California, Santa Barbara, 2006.
24.
H.Waita Njogu, Using alert cluster to reduce IDS alerts, in: 2010 3rd International Conference on Computer Science and Information Technology, July 2010, 2010.
25.
R.Wu, B.Zhang and M.Hsu, Clustering billions of data points using GPUs, in: UCHPC-MAW’09, 2009, pp. 1–5.
26.
S.Xiao, Y.Zhang, X.Liu and J.Gao, Alert fusion based on cluster and correlation analysis, in: 2008 International Conference on Convergence and Hybrid Information Technology, 2008, pp. 163–168.
27.
S.Yuan and C.Zou, The security operations center based on correlation analysis, in: 2011 IEEE 3rd International Conference on Communication Software and Networks, May 2011, 2011, pp. 334–337.
