End-to-end internet packet dynamics
IEEE/ACM Transactions on Networking (TON)
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Difficulties in simulating the internet
IEEE/ACM Transactions on Networking (TON)
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Alert Correlation through Triggering Events and Common Resources
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Hypothesizing and reasoning about attacks missed by intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
| Hi-index | 0.00 |
This work shows that knowledgeable attackers can influence the tactical assessments output by INFOSEC alert correlation systems solely through manipulating the timing characteristics of their attacks. The approach taken is to assume that the defender's goal is to thwart attackers by enact optimal tactical responses. It is then shown that, even in an idealized environment, the defender has no guarantee that the correlation system's estimates of the enacted attacks are correct. A theoretical path always exists by which the attacker can influence the contents of the correlation system's low-level alert clusters. As these low-level clusters form the basis of all higher level analyses, this is sufficient to show that the attacker has influence over the tactical assessments reported by correlation systems. In essence, the attackers can cause the defender to mis-correlate an attack's generated INFOSEC alerts in a manner which will go undetected and is to the attacker's advantage. This capability is shown to hinge on there being attacks whose identification requires the analysis of shared alerts (i.e., alerts generatable by two or more distinct attacks).