The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
An Information Theoretic Approach to Rule Induction from Databases
IEEE Transactions on Knowledge and Data Engineering
LAMBDA: A Language to Model a Database for Detection of Attacks
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Validation of Sensor Alert Correlators
IEEE Security and Privacy
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
A framework for malicious workload generation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
A probabilistic-based framework for infosec alert correlation
A probabilistic-based framework for infosec alert correlation
Collaborating against common enemies
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Unconstrained endpoint profiling (googling the internet)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Analysis of the 1999 DARPA/Lincoln laboratory IDS evaluation data with NetADHICT
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
On the use of different statistical tests for alert correlation: short paper
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
An online adaptive approach to alert correlation
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Shedding light on log correlation in network forensics analysis
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion alerts collected in a production network, we want to detect with a small number of false positives hosts within the network that have been infected by malware. Solving this problem is essential not only for reducing the false-positive rate of IDSs, but also for labeling traces collected in the wild with information about validated security incidents. We use a 9-month long dataset of IDS alerts and we first build a novel heuristic to detect infected hosts from the on average 3 million alerts we observe per day. Our heuristic uses a statistical measure to find hosts that exhibit a repeated multi-stage malicious footprint involving specific classes of alerts. A significant part of our work is devoted to the validation of our heuristic. We conduct a complex experiment to assess the security of suspected infected systems in a production environment using data from several independent sources, including intrusion alerts, blacklists, host scanning logs, vulnerability reports, and search engine queries. We find that the false positive rate of our heuristic is 15% and analyze in-depth the root causes of the false positives. Having validated our heuristic, we apply it to our entire trace, and characterize various important properties of 9 thousand infected hosts in total. For example, we find that among the infected hosts, a small number of heavy hitters originate most outbound attacks and that future infections are more likely to occur close to already infected hosts.