skip to main content
article

Modeling network intrusion detection alerts for correlation

Published:01 February 2007Publication History
Skip Abstract Section

Abstract

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.

References

  1. Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 1999. State of the Practice of Intrusion Detection Technologies. Tech. Rep. CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University. Jan.)Google ScholarGoogle Scholar
  2. Anderson, J. P. 1980. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co.Google ScholarGoogle Scholar
  3. Bass, T. 1999. Multisensor data fusion for next generation distributed intrusion detection systems. In Proceedings of the IRIS National Symposium on Sensor and Data Fusion.Google ScholarGoogle Scholar
  4. Bass, T. 2000. Intrusion detection systems and multisensor data fusion. Communications of the ACM 43, 4, 99--105. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL.Google ScholarGoogle Scholar
  6. Cheung, S., Lindqvist, U., and Fong, M. W. 2003. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C.Google ScholarGoogle Scholar
  7. Cisco Systems Inc. Cisco intrusion prevention alert center, http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl.Google ScholarGoogle Scholar
  8. Cormen, T. H., Leiserson, C. E., Rivest, R. L., and Stein, C. 2001. Introduction to Algorithms, 2nd ed. The MIT Press. Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Cui, Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis, North Carolina State University, Department of Computer Science.Google ScholarGoogle Scholar
  10. Cuppens, F. and Miège, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium of Security and Privacy. 202. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Cuppens, F., Autrel, F., Miège, A., and Benherfat, S. 2002. Correlation in an intrusion detection process. In Proceedings of the SECI02 Workshop.Google ScholarGoogle Scholar
  12. Debar, H. and Wespi, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Denning, D. E. 1987. An intrusion detection model. IEEE Transaction of Software Engineering 13, 2, 222--232. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Dittrich, D., Weaver, G., Dietrich, S., and Long, N. 2000. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.Google ScholarGoogle Scholar
  15. Eckmann, S., Vigna, G., and Kemmerer, R. 2002. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10, 1/2, 71--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Howard, J. D. 1997. An analysis of security incidents on the internet. Ph.D. thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Internet Security Systems (ISS). X-force database, http://xforce.iss.net/xforce/search.php.Google ScholarGoogle Scholar
  18. Lin, J.-L., Wang, X. S., and Jajodia, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the Computer Security Foundation Workshop. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Lippmann, R. P., Webster, S. E., and Stetson, D. 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. MIT Lincoln Lab. 2000. DARPA 2000 intrusion detection evaluation datasets. http://ideval.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.Google ScholarGoogle Scholar
  21. Morin, B., Mé, L., Debar, H., and Ducasse, M. 2002. M2d2: a formal data model for ids alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Ning, P., Cui, Y., Reeves, D. S., and Xu, D. 2004. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security 7, 2 (May), 274--318. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Pouzol, J.-P. and Ducassé, M. 2002. Formal specifications of intrusion signatures and detection rules. In Proceedings of the Computer Security Foundation Workshop. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Purczynski, W. and Niewiadomski, J. 2003. wu-ftpd fb_realpath() off-by-one bug. http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt.Google ScholarGoogle Scholar
  25. Ristenpart, T., Templeton, S., and Bishop, M. 2004. Time synchronization of aggregated heterogeneous logs. In Proceedings of the Student Workshop on Computing, Department of Computer Science, University of California, Davis, CA.Google ScholarGoogle Scholar
  26. Roesch, M. 1999. Snort---lightweight intrusion detection for networks. In Proceedings of the USENIX Lisa Conference, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. SecurityFocus. 2004. Vulnerability database. http://www.securityfocus.com/bid.Google ScholarGoogle Scholar
  28. Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium of Security and Privacy. Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Snort Inline. http://snort-inline.sourceforge.net/.Google ScholarGoogle Scholar
  30. Tcpdump and Libpcap. http://www.tcpdump.org/.Google ScholarGoogle Scholar
  31. Templeton, S. J. and Levitt, K. 2000. A requires/provides model for computer attacks. In Proceedings of the Workshop on New Security Paradigms. 31--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. The Honeypot Project. 2001. Know your enemy: Revealing the security tools, tactics, and motives of the blackhat community. http://www.honeynet.org.Google ScholarGoogle Scholar
  33. The OpenSSL Project. 2002. OpenSSL security advisory {30 July 2002}. http://www.openssl.org/news/secadv_20020730.txt.Google ScholarGoogle Scholar
  34. Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Number 2212 in Lecture Notes in Computer Science. Springer-Verlag, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Zhou, J., Carlson, A., and Bishop, M. 2005. Verify results of network intrusion alerts using lightweight protocol analysis. In Proceedings of the Annual Computer Security Applications Conference, Tucson, AZ. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Modeling network intrusion detection alerts for correlation

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!