ATLANTIDES: an architecture for alert verification in network intrusion detection systems
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
An OVAL-based active vulnerability assessment system for enterprise computer networks
Information Systems Frontiers
Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Analyzing intensive intrusion alerts via correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Intrusion detection and security policy framework for distributed environments
CTS'05 Proceedings of the 2005 international conference on Collaborative technologies and systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
Alert correlation in collaborative intelligent intrusion detection systems-A survey
Applied Soft Computing
Redesign and implementation of evaluation dataset for intrusion detection system
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Intrusion detection alert verification based on multi-level fuzzy comprehensive evaluation
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part I
Alert correlation analysis in intrusion detection
ADMA'06 Proceedings of the Second international conference on Advanced Data Mining and Applications
An alert data mining framework for network-based intrusion detection system
WISA'05 Proceedings of the 6th international conference on Information Security Applications
Hi-index | 0.00 |
Current intrusion detection systems (IDSs) usually focus on detecting low-level attacks and/or anomalies; none of them can capture the logical steps or attack strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is our first step to address the aforementioned problem. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. Based on the prerequisite and the consequence of each type of attacks, our intrusion alert correlator correlates the alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. As a result, our intrusion alert correlator is able to correlate related alerts and uncover the attack strategies behind sequences of attacks. As an application based on relational database management system (RDBMS), the intrusion alert correlator takes advantage of the functionalities of RDBMS and can be easily integrated with other RDBMS-based intrusion analysis tools (e.g., ISS''s RealSecure). Our experiments with the DARPA 2000 intrusion detection evaluation datasets have demonstrated the great potential of our approach in reducing false alerts and discovering high-level attack strategies.