Abstract
Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.
- Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 1999. State of the Practice of Intrusion Detection Technologies. Tech. Rep. CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University. Jan.)Google Scholar
- Anderson, J. P. 1980. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co.Google Scholar
- Bass, T. 1999. Multisensor data fusion for next generation distributed intrusion detection systems. In Proceedings of the IRIS National Symposium on Sensor and Data Fusion.Google Scholar
- Bass, T. 2000. Intrusion detection systems and multisensor data fusion. Communications of the ACM 43, 4, 99--105. Google Scholar
Digital Library
- CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL.Google Scholar
- Cheung, S., Lindqvist, U., and Fong, M. W. 2003. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C.Google Scholar
- Cisco Systems Inc. Cisco intrusion prevention alert center, http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl.Google Scholar
- Cormen, T. H., Leiserson, C. E., Rivest, R. L., and Stein, C. 2001. Introduction to Algorithms, 2nd ed. The MIT Press. Cambridge, MA. Google Scholar
Digital Library
- Cui, Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis, North Carolina State University, Department of Computer Science.Google Scholar
- Cuppens, F. and Miège, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium of Security and Privacy. 202. Google Scholar
Digital Library
- Cuppens, F., Autrel, F., Miège, A., and Benherfat, S. 2002. Correlation in an intrusion detection process. In Proceedings of the SECI02 Workshop.Google Scholar
- Debar, H. and Wespi, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google Scholar
Digital Library
- Denning, D. E. 1987. An intrusion detection model. IEEE Transaction of Software Engineering 13, 2, 222--232. Google Scholar
Digital Library
- Dittrich, D., Weaver, G., Dietrich, S., and Long, N. 2000. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.Google Scholar
- Eckmann, S., Vigna, G., and Kemmerer, R. 2002. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10, 1/2, 71--104. Google Scholar
Digital Library
- Howard, J. D. 1997. An analysis of security incidents on the internet. Ph.D. thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213. Google Scholar
Digital Library
- Internet Security Systems (ISS). X-force database, http://xforce.iss.net/xforce/search.php.Google Scholar
- Lin, J.-L., Wang, X. S., and Jajodia, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the Computer Security Foundation Workshop. Google Scholar
Digital Library
- Lippmann, R. P., Webster, S. E., and Stetson, D. 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google Scholar
Digital Library
- MIT Lincoln Lab. 2000. DARPA 2000 intrusion detection evaluation datasets. http://ideval.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.Google Scholar
- Morin, B., Mé, L., Debar, H., and Ducasse, M. 2002. M2d2: a formal data model for ids alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland. Google Scholar
Digital Library
- Ning, P., Cui, Y., Reeves, D. S., and Xu, D. 2004. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security 7, 2 (May), 274--318. Google Scholar
Digital Library
- Pouzol, J.-P. and Ducassé, M. 2002. Formal specifications of intrusion signatures and detection rules. In Proceedings of the Computer Security Foundation Workshop. Google Scholar
Digital Library
- Purczynski, W. and Niewiadomski, J. 2003. wu-ftpd fb_realpath() off-by-one bug. http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt.Google Scholar
- Ristenpart, T., Templeton, S., and Bishop, M. 2004. Time synchronization of aggregated heterogeneous logs. In Proceedings of the Student Workshop on Computing, Department of Computer Science, University of California, Davis, CA.Google Scholar
- Roesch, M. 1999. Snort---lightweight intrusion detection for networks. In Proceedings of the USENIX Lisa Conference, Berkeley, CA. Google Scholar
Digital Library
- SecurityFocus. 2004. Vulnerability database. http://www.securityfocus.com/bid.Google Scholar
- Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium of Security and Privacy. Berkeley, CA. Google Scholar
Digital Library
- Snort Inline. http://snort-inline.sourceforge.net/.Google Scholar
- Tcpdump and Libpcap. http://www.tcpdump.org/.Google Scholar
- Templeton, S. J. and Levitt, K. 2000. A requires/provides model for computer attacks. In Proceedings of the Workshop on New Security Paradigms. 31--38. Google Scholar
Digital Library
- The Honeypot Project. 2001. Know your enemy: Revealing the security tools, tactics, and motives of the blackhat community. http://www.honeynet.org.Google Scholar
- The OpenSSL Project. 2002. OpenSSL security advisory {30 July 2002}. http://www.openssl.org/news/secadv_20020730.txt.Google Scholar
- Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Number 2212 in Lecture Notes in Computer Science. Springer-Verlag, New York. Google Scholar
Digital Library
- Zhou, J., Carlson, A., and Bishop, M. 2005. Verify results of network intrusion alerts using lightweight protocol analysis. In Proceedings of the Annual Computer Security Applications Conference, Tucson, AZ. Google Scholar
Digital Library
Index Terms
Modeling network intrusion detection alerts for correlation
Recommendations
Constructing attack scenarios through correlation of intrusion alerts
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityTraditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...
Techniques and tools for analyzing intrusion alerts
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be ...
Analyzing intensive intrusion alerts via correlation
RAID'02: Proceedings of the 5th international conference on Recent advances in intrusion detectionTraditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...






Comments