Intrusion detection
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Practical automated detection of stealthy portscans
Journal of Computer Security
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Using Model Checking to Analyze Network Vulnerabilities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation
Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation
Constructing Attack Scenarios through Correlation of Intrusion Alerts
Constructing Attack Scenarios through Correlation of Intrusion Alerts
Analyzing intensive intrusion alerts via correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Data mining for security applications
WISI'06 Proceedings of the 2006 international conference on Intelligence and Security Informatics
Incentive-based modeling and inference of attacker intent, objectives, and strategies
Proceedings of the 10th ACM conference on Computer and communications security
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
Managing attack graph complexity through visual hierarchical aggregation
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Hypothesizing and reasoning about attacks missed by intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Incentive-based modeling and inference of attacker intent, objectives, and strategies
ACM Transactions on Information and System Security (TISSEC)
Data warehousing and data mining techniques for intrusion detection systems
Distributed and Parallel Databases
Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net
Computer Networks: The International Journal of Computer and Telecommunications Networking
MulVAL: a logic-based network security analyzer
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Diffusion and graph spectral methods for network forensic analysis
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Forensic analysis of logs: Modeling and verification
Knowledge-Based Systems
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
International Journal of Information and Computer Security
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Cooperation forensic computing research
Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop
Classification of intrusion detection alerts using abstaining classifiers
Intelligent Data Analysis
Principled reasoning and practical applications of alert fusion in intrusion detection systems
Proceedings of the 2008 ACM symposium on Information, computer and communications security
A vulnerability-driven approach to active alert verification
ICCOM'05 Proceedings of the 9th WSEAS International Conference on Communications
Two alternatives for handling preferences in qualitative choice logic
Fuzzy Sets and Systems
Implementing interactive analysis of attack graphs using relational databases
Journal of Computer Security - 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec'06)
A Graph Based Approach Toward Network Forensics Analysis
ACM Transactions on Information and System Security (TISSEC)
Discovering Novel Multistage Attack Strategies
ADMA '07 Proceedings of the 3rd international conference on Advanced Data Mining and Applications
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Case-oriented alert correlation
WSEAS Transactions on Computers
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
Real-Time Alert Correlation with Type Graphs
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
A decision support system for constructing an alert classification model
Expert Systems with Applications: An International Journal
Processing intrusion detection alert aggregates with time series modeling
Information Fusion
A Formal Approach for the Forensic Analysis of Logs
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
A dynamic fusion approach for security situation assessment
CNIS '07 Proceedings of the Fourth IASTED International Conference on Communication, Network and Information Security
Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Alert correlation by a retrospective method
ICOIN'09 Proceedings of the 23rd international conference on Information Networking
Data mining and machine learning-Towards reducing false positives in intrusion detection
Information Security Tech. Report
Multilevel event correlation based on collaboration and temporal causal correlation
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Evaluating MAPSec by marking attack graphs
Wireless Networks
Mining attack correlation scenarios based on multi-agent system
Proceedings of the 2007 conference on Human interface: Part I
Application of the pagerank algorithm to alarm graphs
ICICS'07 Proceedings of the 9th international conference on Information and communications security
An ontology-based intrusion alerts correlation system
Expert Systems with Applications: An International Journal
Proposing a multi-touch interface for intrusion detection environments
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
State-based network intrusion detection systems for SCADA protocols: a proof of concept
CRITIS'09 Proceedings of the 4th international conference on Critical information infrastructures security
An online adaptive approach to alert correlation
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Community epidemic detection using time-correlated anomalies
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
A novel technique of recognising multi-stage attack behaviour
International Journal of High Performance Computing and Networking
A distributed and privacy-preserving method for network intrusion detection
OTM'10 Proceedings of the 2010 international conference on On the move to meaningful internet systems: Part II
Computer Networks: The International Journal of Computer and Telecommunications Networking
Alert correlation in collaborative intelligent intrusion detection systems-A survey
Applied Soft Computing
A new alert correlation algorithm based on attack graph
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Security alert correlation using growing neural gas
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Detecting, validating and characterizing computer infections in the wild
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Nexat: a history-based approach to predict attacker actions
Proceedings of the 27th Annual Computer Security Applications Conference
Assessing the risk of an information infrastructure through security dependencies
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Interactive analysis of attack graphs using relational queries
DBSEC'06 Proceedings of the 20th IFIP WG 11.3 working conference on Data and Applications Security
Using contextual security policies for threat response
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Attack scenario construction based on rule and fuzzy clustering
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Integrating IDS alert correlation and OS-Level dependency tracking
ISI'06 Proceedings of the 4th IEEE international conference on Intelligence and Security Informatics
A cognitive model for alert correlation in a distributed environment
ISI'05 Proceedings of the 2005 IEEE international conference on Intelligence and Security Informatics
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Advanced reaction using risk assessment in intrusion detection systems
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
An alert correlation platform for memory-supported techniques
Concurrency and Computation: Practice & Experience
Analyzing multiple logs for forensic evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic feature extraction and cross-drive analysis
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Inference in possibilistic network classifiers under uncertain observations
Annals of Mathematics and Artificial Intelligence
Alert correlation using artificial immune recognition system
International Journal of Bio-Inspired Computation
FuzMet: a fuzzy-logic based alert prioritization engine for intrusion detection systems
International Journal of Network Management
Shedding light on log correlation in network forensics analysis
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Extracting attack scenarios using intrusion semantics
FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs
Intelligent Data Analysis
| Hi-index | 0.00 |
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a practical technique to address this issue. The proposed approach constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful, while the consequence of an intrusion is the possible outcome of the intrusion. Based on the prerequisites and consequences of different types of attacks, the proposed approach correlates alerts by (partially) matching the consequence of some previous alerts and the prerequisite of some later ones. The contribution of this paper includes a formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of our method with the 2000 DARPA intrusion detection scenario specific datasets. Our experience and experimental results have demonstrated the potential of the proposed method and its advantage over alternative methods.