Mining association rules between sets of items in large databases
SIGMOD '93 Proceedings of the 1993 ACM SIGMOD international conference on Management of data
State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Classification and detection of computer intrusions
Classification and detection of computer intrusions
Intrusion detection
NetSTAT: a network-based intrusion detection system
Journal of Computer Security
A data mining analysis of RTID alarms
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Abstraction-based intrusion detection in distributed environments
ACM Transactions on Information and System Security (TISSEC)
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Practical automated detection of stealthy portscans
Journal of Computer Security
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Mining Alarm Clusters to Improve Alarm Handling Efficiency
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Using Model Checking to Analyze Network Vulnerabilities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Analyzing intensive intrusion alerts via correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
A mission-impact-based approach to INFOSEC alarm correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Modeling network intrusion detection alerts for correlation
ACM Transactions on Information and System Security (TISSEC)
ATLANTIDES: an architecture for alert verification in network intrusion detection systems
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Discovering Novel Multistage Attack Strategies
ADMA '07 Proceedings of the 3rd international conference on Advanced Data Mining and Applications
Intrusion Prevention in Information Systems: Reactive and Proactive Responses
Journal of Management Information Systems
Intrusion detection alarms reduction using root cause analysis and clustering
Computer Communications
Journal of Network and Computer Applications
An adaptive architecture of applying vulnerability analysis to IDS alerts
ICAIT '08 Proceedings of the 2008 International Conference on Advanced Infocomm Technology
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise
Information Systems Research
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Multilevel event correlation based on collaboration and temporal causal correlation
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Journal of Management Information Systems
Towards identifying true threat from network security data
PAISI'07 Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics
On the use of different statistical tests for alert correlation: short paper
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
An intelligent network-warning model with strong survivability
CANS'07 Proceedings of the 6th international conference on Cryptology and network security
Application of the pagerank algorithm to alarm graphs
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Algebra for capability based attack correlation
WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
An ontology-based intrusion alerts correlation system
Expert Systems with Applications: An International Journal
Policy-based security configuration management application to intrusion detection and prevention
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Attack scenario recognition through heterogeneous event stream analysis
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
NPSEC'05 Proceedings of the First international conference on Secure network protocols
A novel technique of recognising multi-stage attack behaviour
International Journal of High Performance Computing and Networking
SBAD: sequence based attack detection via sequence comparison
PSDML'10 Proceedings of the international ECML/PKDD conference on Privacy and security issues in data mining and machine learning
Alert correlation in collaborative intelligent intrusion detection systems-A survey
Applied Soft Computing
Prioritizing intrusion analysis using Dempster-Shafer theory
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Requirements of information reductions for cooperating intrusion detection agents
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
An effective method for analyzing intrusion situation through IP-Based classification
ICCSA'05 Proceedings of the 2005 international conference on Computational Science and Its Applications - Volume Part II
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Attack graph based evaluation of network security
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Janus: a two-sided analytical model for multi-stage coordinated attacks
ICISC'06 Proceedings of the 9th international conference on Information Security and Cryptology
FuzMet: a fuzzy-logic based alert prioritization engine for intrusion detection systems
International Journal of Network Management
Mobile Agent Based Network Defense System in Enterprise Network
International Journal of Handheld Computing Research
Survey A model-based survey of alert correlation techniques
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detection of anomalies from user profiles generated from system logs
AISC '11 Proceedings of the Ninth Australasian Information Security Conference - Volume 116
Human perspective to anomaly detection for cybersecurity
Journal of Intelligent Information Systems
Hi-index | 0.00 |
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a sequence of techniques to address this issue. The first technique constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, the proposed method correlates alerts by (partially) matching the consequences of some prior alerts with the prerequisites of some later ones. Moreover, to handle large collections of alerts, this paper presents a set of interactive analysis utilities aimed at facilitating the investigation of large sets of intrusion alerts. This paper also presents the development of a toolkit named TIAA, which provides system support for interactive intrusion analysis. This paper finally reports the experiments conducted to validate the proposed techniques with the 2000 DARPA intrusion detection scenario-specific datasets, and the data collected at the DEFCON 8 Capture the Flag event.