Discovering coordinated groups of IP addresses through temporal correlation of alerts

Investor logo

Warning

This publication doesn't include Faculty of Medicine. It includes Institute of Computer Science. Official publication website can be found on muni.cz.

Authors

ŽÁDNÍK Martin WRONA Jan HYNEK Karel ČEJKA Tomáš HUSÁK Martin

Year of publication 2022
Type Article in Periodical
Magazine / Source IEEE Access
MU Faculty or unit

Institute of Computer Science

Citation
Web https://ieeexplore.ieee.org/document/9849653
Doi http://dx.doi.org/10.1109/ACCESS.2022.3196362
Keywords alerts;clustering;correlation;IP address;situational awareness
Attached files
Description Network-based monitoring and intrusion detection systems generate a high number of alerts reporting on the suspicious activity of IP addresses. The majority of alerts are dropped due to their low relevance, low priority or due to the high number of alerts itself. We assume that these alerts still contain valuable information, namely, about the coordination of IP addresses. Knowledge of the coordinated IP addresses improves situational awareness and reflects the requirement of security analysts as well as automated reasoning tools to have as much contextual information as possible to make an informed decision. To validate our assumption, we introduce a novel method to discover the groups of coordinated IP addresses that exhibit a temporal correlation of their alerts. We evaluate our method on data from a real sharing platform reporting approximately 1.5 million alerts per day. The results show that our method can indeed discover groups of truly coordinated IP addresses.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.

More info