A logic-based model to support alert correlation in intrusion detection

Authors:
Benjamin Morin;Ludovic Mé;Hervé Debar;Mireille Ducassé
Affiliations:
Supelec, Avenue de la Boulaie, CS-47601, F-35576 Cesson-Sevigné, France;Supelec, Avenue de la Boulaie, CS-47601, F-35576 Cesson-Sevigné, France;Orange Labs, 42 rue des Coutures, BP-6243, F-14066 Caen, France;IRISA, Campus de Beaulieu, F-35042 Rennes, France
Venue:
Information Fusion
Year:
2009

Citing 18
Cited 12

NetSTAT: a network-based intrusion detection system

Journal of Computer Security
A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Ontology in information security: a useful theoretical foundation and methodological tool

Proceedings of the 2001 workshop on New security paradigms
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection

IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
A Comprehensive Approach to Intrusion Detection Alert Correlation

IEEE Transactions on Dependable and Secure Computing
Improving Security Management through Passive Network Observation

ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Using Description Logics for Network Vulnerability Analysis

ICNICONSMCL '06 Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies
The Description Logic Handbook

The Description Logic Handbook
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Conceptual analysis of intrusion alarms

ICIAP'05 Proceedings of the 13th international conference on Image Analysis and Processing
Intrusion detection: a brief history and overview

Computer
Modeling requests among cooperating intrusion detection systems

Computer Communications

An incremental SVM for intrusion detection based on key feature selection

IITA'09 Proceedings of the 3rd international conference on Intelligent information technology application
An online adaptive approach to alert correlation

DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Alert correlation in collaborative intelligent intrusion detection systems-A survey

Applied Soft Computing
Security alert correlation using growing neural gas

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions

International Journal of Communication Systems
Alert correlation using artificial immune recognition system

International Journal of Bio-Inspired Computation
A comprehensive vulnerability based alert management approach for large networks

Future Generation Computer Systems
Limitation of honeypot/honeynet databases to enhance alert correlation

MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
Network specific vulnerability based alert reduction approach

Security and Communication Networks
Detection of anomalies from user profiles generated from system logs

AISC '11 Proceedings of the Ninth Australasian Information Security Conference - Volume 116
Review: Formal Concept Analysis in knowledge processing: A survey on models and techniques

Expert Systems with Applications: An International Journal
Towards cost-sensitive assessment of intrusion response selection

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.