**2.2 Approaches for correlation of security events**

Correlation techniques for security events can be classified into three categories: (1) rulebased, (2) based on anomaly and (3) based on causes and consequences (Prerequisites and Consequences (PC)) (Abad et al, 2003). The rule-based method requires some prior knowledge about the attack, so the target machine has to pass through a preparation phase called training. The goal of this phase is to make the target machine able to precisely detect the vulnerabilities in which the target machine was trained for (Abad et al, 2003), (Mizoguchi, 2000). Gaps of rule-based method are: (1) it is computer intensive; (2) it results in lots of data; (3) the method works only for known vulnerabilities.

The method based on anomaly analyzes network data flow, using correlation with statistical methods, using accumulation of gathered information and using observations of the occurred deviations throughout processes of network data flow; in a manner to allow detecting new attacks. For instance, (Manikopoulos & Papavassiliou, 2002) demonstrates a system for detecting anomalies which is characterized by monitoring several parameters simultaneously. Reference (Valdes & Skinner, 2001) presents a probabilistic correlation proposed for IDPS, based on data fusion and multi-sensors. However, the method which uses anomaly cannot detect anomalous activity hidden in a normal process, if it is performed at very low levels. Besides, as this method analyzes normal processes reporting only wrong deviations, hence the method is not suitable for finding causes of attacks (Ning et al, 2001).

The PC method lies on connections between causes (conditions for an attack to be true) and consequences (results of the exploitation of a cause), in order to correlate alerts based on the gathered information. This method is suitable for discovering strategies of attacks. Both causes and consequences are composed of information concerning attributes of alerts (specific features belonging to each alert) and are correlated. Arrangement of attributes is called tuple. According to Fig. 4, for the connections to be valid, a preparatory alert must have in its consequences at least one tuple, which repeats in the causes of the resulting alert. In other words, the preparatory alert contributes to the construction of the resulting alert, and therefore it can be correlated. For this connection, illustrated by Fig. 4, the timestamp of the preparatory alert has to come before the resulting alert (Silva & Guelfi, 2010), (Pontes & Guelfi, 2010), (Ning et al, 2001).

Fig. 4. Connections Between Alerts - Consequence of Preparatory Alert (SID1) is Connected to Prerequisites of Resulting Alert (SID2).

Earthquake Prediction: Analogy with Forecasting

strategy (Silva, 2010), (Silva & Guelfi, 2010).

**2.3 Related forecasting methodologies for earthquakes** 

variations in seismicity and is as follows Holliday et al, (2005):

**2.3.1 Earthquake forecasting and its verification** 

future (about ten years).

anomalous behaviour.

present time *t*.

interval *tb* to *t1*.

example, *t3* = 2010.

3. Three time intervals are considered: a. A reference time interval from *tb* to *t1*.

Models for Cyber Attacks in Internet and Computer Systems 109

According to (Silva, 2010), (Silva & Guelfi, 2010), with the employment of the EAS it was possible to improve the today's results of correlation regarding security events, considering the following issues: (1) traceability for causes and consequences within the PC-correlation method (with multi-correlation criteria, correlation analysis (ascending/descending) and identification of FP alerts through tables and graphs); and (2) the process of results validation regarding the correlation. In (Silva, 2010), (Silva & Guelfi, 2010), results of correlating phase were evaluated in three steps (FP1, FP2 and FP3) using tables and graphs. The stepwise analysis allowed comparison of the results. EAS achieved an increase of 112.09% in the identification of FP alerts after the multi-correlation. Another important result of EAS was the evidence of preparatory connections between individual alerts that are in fact part of larger and more elaborated attacks. In other words, EAS can show that individual alerts can be grouped in a single attack, since they are part of the same attack

Statistical based forecast methodologies are used to understand and predict earthquake signals (Kagan, & Jackson, 2000). It is important to discuss these other researches to notice the variety of forecasting applications. Two forecast researches are summarized below.

Holliday et. al (2005) has based their forecast research on the association of occurrence of small earthquakes with probably future large ones. In fact, the method does not predict earthquakes, but spots regions (Hotspots regions) where they are most likely to occur in the

Basically the research objective is to reduce risk areas analyzing the historical seismicity for

The approach is based on a pattern informatics (PI) method which quantifies temporal

1. The region of interest is divided into *NB* square boxes with linear dimension *∆x*. Boxes are identified by a subscript *i* and are centered at *xi*. For each box, there is a time series *Ni(t)*, which is the number of earthquakes per unit time at time *t* larger than the lower cut-off magnitude *Mc*. The time series in box *i* is defined between a base time *tb* and the

2. All earthquakes in the region of interest with magnitudes greater than a lower cutoff magnitude *Mc* are included. The lower cutoff magnitude *Mc* is specified in order to ensure completeness of the data through time, from an initial time *t0* to a final time *t2*.

b. A second time interval from *tb* to *t2, t2 > t1*. The change interval over which seismic activity changes are determined is then *t2 - t1*. The time *tb* is chosen to lie between t0 and t1. Typically we take *t0* = 1932, *t1* = 1990, and *t2* = 2000. The objective is to quantify anomalous seismic activity in the change interval *t2* to *t1* relative to the reference

c. The forecast time interval *t2* to *t3*, for which the forecast is valid. The change and forecast intervals are taken and forecast intervals to have the same length. For the above

In order to reduce complexity, correlation can be shown in graphs where alerts are represented by nodes and connections are depicted by arrows (representing correlations between alerts).

Yet, some gaps in the PC method may be mentioned, such as the difficulty in obtaining causes and consequences of alerts (Pietraszek & Tanner, 2005), the impossibility to analyze isolated alerts (alerts that are not correlated) and the fact that missed attacks are hard to correlate. An alternative to minimize the problem is to apply complementary correlation techniques (Morin & Debar, 2003), using sensors to work in cooperation, in order to supervise the environment for minimizing missed detections. There are two techniques to map IDPS' alerts and logs obtained from other sources: descending analysis and ascending analysis (Abad et al, 2003), (Silva, 2010).

Descending analysis is based on the investigation of occurred attacks, verifying (correlating) whether other logs (e.g. logs from O.S.) have or do not have vestiges of the attacks' incident. For occurred attack, other traced logs (e.g. Operational System's logs) can be analyzed based on timestamp. This type of analysis is useful to trace evidences about strategies of events, in order to map attacks to its source.

The ascending technique is used to discover attacks by the analysis of several logs. Once an anomaly is detected in one of these logs, other logs are checked based on timestamp. Although ascending technique is computer intensive, this technique allows detecting new attacks.

In an earlier work we proposed the EAS (Silva & Guelfi, 2010), (Silva, 2010), intending to improve results of security events correlation and intrusion detection. EAS is able to make multi-correlation for events from Operational Systems (OSs) and from IDPS (log analysis), consequently, EAS is also capable for verifying the influence of isolated alerts in the cybersecurity context.

The EAS architecture has 4 modules, as shown by Fig.5: (a) converter: the aim of this module is to handle the input data into the system (IDPS signatures, alerts and logs from the OS); (b) updating: it controls data which is going to be used by the system; (c) correlating: it does mappings for the correlation processes, FP identification, and the identification of isolated alerts; (d) calculator: it analyzes and compares FP, based on the results from the correlating module.

Fig. 5. EAS's Architecture (Silva, 2010), (Silva & Guelfi, 2010)

In order to reduce complexity, correlation can be shown in graphs where alerts are represented by nodes and connections are depicted by arrows (representing correlations

Yet, some gaps in the PC method may be mentioned, such as the difficulty in obtaining causes and consequences of alerts (Pietraszek & Tanner, 2005), the impossibility to analyze isolated alerts (alerts that are not correlated) and the fact that missed attacks are hard to correlate. An alternative to minimize the problem is to apply complementary correlation techniques (Morin & Debar, 2003), using sensors to work in cooperation, in order to supervise the environment for minimizing missed detections. There are two techniques to map IDPS' alerts and logs obtained from other sources: descending analysis and ascending

Descending analysis is based on the investigation of occurred attacks, verifying (correlating) whether other logs (e.g. logs from O.S.) have or do not have vestiges of the attacks' incident. For occurred attack, other traced logs (e.g. Operational System's logs) can be analyzed based on timestamp. This type of analysis is useful to trace evidences about strategies of events, in

The ascending technique is used to discover attacks by the analysis of several logs. Once an anomaly is detected in one of these logs, other logs are checked based on timestamp. Although ascending technique is computer intensive, this technique allows detecting new

In an earlier work we proposed the EAS (Silva & Guelfi, 2010), (Silva, 2010), intending to improve results of security events correlation and intrusion detection. EAS is able to make multi-correlation for events from Operational Systems (OSs) and from IDPS (log analysis), consequently, EAS is also capable for verifying the influence of isolated alerts in the cyber-

The EAS architecture has 4 modules, as shown by Fig.5: (a) converter: the aim of this module is to handle the input data into the system (IDPS signatures, alerts and logs from the OS); (b) updating: it controls data which is going to be used by the system; (c) correlating: it does mappings for the correlation processes, FP identification, and the identification of isolated alerts; (d) calculator: it analyzes and compares FP, based on the

between alerts).

attacks.

security context.

analysis (Abad et al, 2003), (Silva, 2010).

order to map attacks to its source.

results from the correlating module.

Fig. 5. EAS's Architecture (Silva, 2010), (Silva & Guelfi, 2010)

According to (Silva, 2010), (Silva & Guelfi, 2010), with the employment of the EAS it was possible to improve the today's results of correlation regarding security events, considering the following issues: (1) traceability for causes and consequences within the PC-correlation method (with multi-correlation criteria, correlation analysis (ascending/descending) and identification of FP alerts through tables and graphs); and (2) the process of results validation regarding the correlation. In (Silva, 2010), (Silva & Guelfi, 2010), results of correlating phase were evaluated in three steps (FP1, FP2 and FP3) using tables and graphs. The stepwise analysis allowed comparison of the results. EAS achieved an increase of 112.09% in the identification of FP alerts after the multi-correlation. Another important result of EAS was the evidence of preparatory connections between individual alerts that are in fact part of larger and more elaborated attacks. In other words, EAS can show that individual alerts can be grouped in a single attack, since they are part of the same attack strategy (Silva, 2010), (Silva & Guelfi, 2010).
