Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Scalable, graph-based network vulnerability analysis
Proceedings of the 9th ACM conference on Computer and communications security
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Practical automated detection of stealthy portscans
Journal of Computer Security
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis
ESORICS '92 Proceedings of the Second European Symposium on Research in Computer Security
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Representing TCP/IP Connectivity For Topological Analysis of Network Security
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Using Model Checking to Analyze Network Vulnerabilities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation
Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Reasoning About Complementary Intrusion Evidence
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Alert Correlation through Triggering Events and Common Resources
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Towards a Theory of Insider Threat Assessment
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
NetKuang: a multi-host configuration vulnerability checker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Performance adaptation in real-time intrusion detection systems
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Using attack trees to identify malicious attacks from authorized insiders
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
An Attack Graph-Based Probabilistic Security Metric
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Extending logical attack graphs for efficient vulnerability analysis
Proceedings of the 15th ACM conference on Computer and communications security
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
Measuring the overall security of network configurations using attack graphs
Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
A survey on IDS alerts processing techniques
ISP'07 Proceedings of the 6th WSEAS international conference on Information security and privacy
WNN-based network security situation quantitative prediction method and its optimization
Journal of Computer Science and Technology
Computer Networks: The International Journal of Computer and Telecommunications Networking
Objective Risk Evaluation for Automated Security Management
Journal of Network and Systems Management
A new alert correlation algorithm based on attack graph
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Scalable analysis of attack scenarios
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Nexat: a history-based approach to predict attacker actions
Proceedings of the 27th Annual Computer Security Applications Conference
Attacker behavior analysis in multi-stage attack detection system
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Multi-layer episode filtering for the multi-step attack detection
Computer Communications
An alert correlation platform for memory-supported techniques
Concurrency and Computation: Practice & Experience
E-NIPS: an event-based network intrusion prediction system
ISC'07 Proceedings of the 10th international conference on Information Security
Survey A model-based survey of alert correlation techniques
Computer Networks: The International Journal of Computer and Telecommunications Networking
Towards modelling adaptive attacker's behaviour
FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs
Intelligent Data Analysis
Hi-index | 0.24 |
To defend against multi-step intrusions in high-speed networks, efficient algorithms are needed to correlate isolated alerts into attack scenarios. Existing correlation methods usually employ an in-memory index for fast searches among received alerts. With finite memory, the index can only be built on a limited number of alerts inside a sliding window. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively injecting bogus alerts between the two steps. In either case, the correlation effort is defeated. In this paper, we first address the above issue with a novel queue graph (QG) approach. Instead of searching all the received alerts for those that prepare for a new alert, we only search for the latest alert of each type. The correlation between the new alert and other alerts is implicitly represented using the temporal order between alerts. Consequently, our approach can correlate alerts that are arbitrarily far away, and it has a linear (in the number of alert types) time complexity and quadratic memory requirement. Then, we extend the basic QG approach to a unified method to hypothesize missing alerts and to predict future alerts. Finally, we propose a compact representation for the result of alert correlation. Empirical results show that our method can fulfill correlation tasks faster than an IDS can report alerts. Hence, the method is a promising solution for administrators to monitor and predict the progress of intrusions and thus to take appropriate countermeasures in a timely manner.