A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Iterative Dynamic Programming
Artificial Intelligence Techniques: A Comprehensive Catalogue
Artificial Intelligence Techniques: A Comprehensive Catalogue
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
A Case-Based Reasoning Approach to the Resolution of Faults in Communication Networks
Proceedings of the IFIP TC6/WG6.6 Third International Symposium on Integrated Network Management with participation of the IEEE Communications Society CNOM and with support from the Institute for Educational Services
Case-Based Reasoning for Intrusion Detection
ACSAC '96 Proceedings of the 12th Annual Computer Security Applications Conference
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Mining Alarm Clusters to Improve Alarm Handling Efficiency
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A mission-impact-based approach to INFOSEC alarm correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
| Hi-index | 0.00 |
Correlating alerts is of importance for identifying complex attacks and discarding false alerts. Most popular alert correlation approaches employ some well-defined knowledge to uncover the connections among alerts. However, acquiring, representing and justifying such knowledge has turned out to be a nontrivial task. In this paper, we propose a novel method to work around these difficulties by using case-based reasoning (CBR). In our application, a case, constructed from training data, serves as an example of correlated alerts. It consists of a pattern of alerts caused by an attack and the identity of the attack. The runtime alert stream is then compared with each case, to see if any subset of the runtime alerts are similar to the pattern in the case. The process is reduced to a matching problem. Two kinds of matching methods were explored. The latter is much more efficient than the former. Our experiments with the DARPA Grand Challenge Problem attack simulator have shown that both produce almost the same results and that case-oriented alert correlation is effective in detecting intrusions.