GSLAC: A General Scalable and Low-Overhead Alert Correlation Method

摘要

Causal-based alert correlation is one of the mainstream techniques to detect multi-step threat behaviors. However, because large-scale network generates high-speed alerts and alert type distribution in dataflow changes over time, it is challenging to increase generality, scalability and reduce overhead for causal alert correlation method. In this paper, we propose a novel general, scalable and low-overhead alert correlation method, called GSLAC. GSLAC first presents a "dispatch-aggregate" scheme based online alert correlation framework and employs a general causal based alert correlation method to detect diverse threat behaviors. To provide scalable and low-overhead correlating service, a hybrid correlation graph partition solution is proposed to divide correlation graph into multiple sub-graphs managed by a group of parallel servers according to the overhead caused by the alert types. To adapt to the change of alert type distribution in dataflow, GSLAC rebalances their workloads by a dynamic hot spots migration technique. A prototype deployment on Storm platform shows that GSLAC achieves scalable alert correlation throughput with the growth of servers, good load balance with the distribution change of alert dataflow, low overhead with the high-speed dataflow, and significantly outperforms the existing methods with real world dataset.