ABSTRACT
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a practical technique to address this issue. The proposed approach constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful, while the consequence of an intrusion is the possible outcome of the intrusion. Based on the prerequisites and consequences of different types of attacks, the proposed approach correlates alerts by (partially) matching the consequence of some previous alerts and the prerequisite of some later ones. The contribution of this paper includes a formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of our method with the 2000 DARPA intrusion detection scenario specific datasets. Our experience and experimental results have demonstrated the potential of the proposed method and its advantage over alternative methods.
- J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, 1980.]]Google Scholar
- AT & T Research Labs. GraphViz - open source graph layout and drawing software. http://www.research.att.com/sw/tools/graphviz/.]]Google Scholar
- R. Bace. Intrusion Detection. Macmillan Technology Publishing, 2000.]] Google ScholarDigital Library
- F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proc. of the 2002 IEEE Symposium on Security and Privacy, May 2002.]] Google ScholarDigital Library
- F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proc. of Recent Advances in Intrusion Detection (RAID 2000), pages 197--216, September 2000.]] Google ScholarDigital Library
- O. Dain and R. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1--13, Nov. 2001.]]Google Scholar
- H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85--103, 2001.]] Google ScholarDigital Library
- ISS, Inc. RealSecure intrusion detection system. http://www.iss.net.]]Google Scholar
- S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proc. of the 15th Computer Security Foundation Workshop, June 2002.]] Google ScholarDigital Library
- MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html, 2000.]]Google Scholar
- P. Ning, Y. Cui, and D. S. Reeves. Analyzing intensive intrusion alerts via correlation. In Proc. of the 5th Int'l Symposium on Recent Advances in Intrusion Detection (RAID 2002), October 2002.]]Google ScholarCross Ref
- P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts (full version). Technical Report TR-2002-13, North Carolina State University, Department of Computer Science, August 2002.]] Google ScholarDigital Library
- P. Ning and D. Xu. Adapting query optimization techniques for efficient intrusion alert correlation. Technical Report TR-2002-14, North Carolina State University, Department of Computer Science, September 2002.]] Google ScholarDigital Library
- R. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In Proc. of IEEE Symposium on Security and Privacy, pages 156--165, May 2000.]] Google ScholarDigital Library
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. Automated generation and analysis of attack graphs. In Proc. of IEEE Symposium on Security and Privacy, May 2002.]] Google ScholarDigital Library
- S. Staniford, J. Hoagland, and J. McAlerney. Practical automated detection of stealthy portscans. To appear in Journal of Computer Security, 2002.]] Google ScholarDigital Library
- S. Templeton and K. Levit. A requires/provides model for computer attacks. In Proc. of New Security Paradigms Workshop, pages 31--38. September 2000.]] Google ScholarDigital Library
- A. Valdes and K. Skinner. Probabilistic alert correlation. In Proc. of the 4th Int'l Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54--68, 2001.]] Google ScholarDigital Library
Index Terms
- Constructing attack scenarios through correlation of intrusion alerts
Recommendations
Techniques and tools for analyzing intrusion alerts
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be ...
Modeling network intrusion detection alerts for correlation
Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security ...
Analyzing intensive intrusion alerts via correlation
RAID'02: Proceedings of the 5th international conference on Recent advances in intrusion detectionTraditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...
Comments