Application of the PageRank Algorithm to Alert Graphs

1
Application of the PageRank Algorithm to Alert
Graphs

• James J. Treinen
• Ramki Thurimella
• jamestr_at_cs.du.edu, ramki_at_cs.du.edu

2
Agenda

• Problem Statement
• Social Decay Analogy
• Inspiration from the Web
• Abstracting IDS Alarms
• The Ranking Algorithm
• Results
• Conclusions

3
The Problem

• Large IDS Infrastructures
• gt1000 Sensors
• 1,000,000 10,000,000 alarms/day
• Up to 99 false positives
• Missed Attacks

4
Data Flow
5
Social Decay

• Is the appearance of a meth lab the same as a
  host being compromised ?

6
The Goal

• Abstract the IDS alarms into a social model
• Calculate effect of known security incidents on
  adjacent nodes
• Produce lists of important hosts

7
Google does this nicely
8
Typical IDS Alarms
9
Calculating Ranks
10
Watch List
11
Watch List Effectiveness
12
Desired Visualization
13
Denial of Service
14
Identification of Missed Attack
15
(No Transcript)
16
Conclusions

• Using the IDS alerts to indicate social structure
  is effective at
• Identification of high risk nodes
• Watch list generation
• Producing easily digestible visualizations

17
Future Work

• Parallel Edges
• Distinct alarm signatures
• Weighted alarm severity

18
Thank You !

• jamestr_at_cs.du.edu
• ramki_at_cs.du.edu
• References
• Page, L., Brin, S., Motwani, R., Winograd, T.
  The PageRank Citation Ranking Bringing Order to
  the Web. In http//dbpubs.stanford.edu/pub/1999-6
  6. (1999).