IDS Alert Correlation | CS 6262 Network Security

01 //

IDS Deployment

Intrusion Detection Systems (IDS) deploy sensors at the network or host level to monitor traffic and system activity. Security operations centers (SOCs) or managed security services analyze the resulting alerts. Alert correlation studies relationships among these alerts—grouping duplicates, inferring cause and effect, and reconstructing multi-step attack scenarios for better understanding and prediction.

02 //

Alarm Relationships

Alerts can relate to each other in several ways. Correlation techniques group and link them so analysts can see the bigger picture instead of isolated events.

Duplicates – The same attack or event triggers multiple alerts (different sensors, retries, or time windows). Deduplication merges these into a single logical event.
Causal / dependency – One alert is a prerequisite or consequence of another (e.g., exploit precedes data exfiltration). Some relationships are obvious from known tools; others come from analyzing impact and preconditions.
Hidden – No predefined attack graph exists. Statistical patterns reveal that certain alerts tend to occur together or in sequence. The goal is to infer an attacker’s multi-step plan or mission.

Duplicates

Same event, multiple sensors or times. Deduplication reduces noise.

Causal / Dependency

Known tools/patterns (obvious) or impact/conditions (less straightforward).

Hidden

Statistical patterns; no pre-defined attack graph. Infer attacker’s multi-step plan.

03 //

Granger Causality

Granger causality is a statistical notion of “cause”: if past values of one time series (e.g., alert type u) help predict another (y), then u is said to Granger-cause y. It captures temporal precedence and correlation, but not necessarily true causation (e.g., a common underlying factor could explain both).

AR model – Predicts y using only its own past values. The residual (prediction error) measures how well y can be predicted by itself.
ARMA model – Adds past values of u as extra predictors. If the ARMA residual is significantly smaller, then u’s past carries useful information for predicting y.

Granger Causality Index (GCI)

The GCI measures how much adding u improves prediction of y. An F-test compares the two models: if the GCI exceeds a threshold, we say u Granger-causes y. Ranking alert pairs by GCI helps identify which alerts are statistically related as precursors or consequences.

Example

In a worm scenario, Loki has the highest GCI with DB_NewClient. The worm sends data out, then downloads more from the same site (a feedback loop). Granger causality works well for strong temporal patterns and complements other correlation techniques.

04 //

Bayesian Networks

A Bayesian network is a directed acyclic graph (DAG) where nodes are random variables (e.g., alert types, attack stages) and edges encode direct dependencies. Each node has a conditional probability table (CPT) that defines how its probability depends on its parents. This lets us encode expert knowledge about attack prerequisites, update beliefs when new alerts arrive, and infer hidden relationships.

Different attack classes – Correlate by impact on the host (e.g., service degraded, resource exhausted) and necessary preconditions.
Same attack class – Correlate by security goals (confidentiality, integrity, availability) and how attacks move toward them.

Model Layers

Typical layers: Info Gathering → System Performance → Service → Confidentiality → Root Privilege → Integrity → Suspicious Connection → User Privilege. Given observed alerts (evidence), we compute P(A1 correlates with A2 | evidence) and use depth-first search to find the path with highest correlation score—that path represents the likely attack scenario.

05 //

Summary

Key Takeaways

Duplicate, causal, hidden – Alerts relate as duplicates (deduplicate), causal/dependency (known or inferred), or hidden (statistical patterns).
Granger causality – Statistical “does u help predict y?” Good for temporal patterns; complements other methods.
Bayesian networks – Encode expert knowledge in a DAG; update beliefs with evidence; infer correlation paths; highest-scoring path = likely attack scenario.