ANSS '06 Proceedings of the 39th annual Symposium on Simulation
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Real-Time Alert Correlation with Type Graphs
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
Towards identifying true threat from network security data
PAISI'07 Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics
Algebra for capability based attack correlation
WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
Proposing a multi-touch interface for intrusion detection environments
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
NPSEC'05 Proceedings of the First international conference on Secure network protocols
Computer Networks: The International Journal of Computer and Telecommunications Networking
Alert correlation in collaborative intelligent intrusion detection systems-A survey
Applied Soft Computing
Requirements of information reductions for cooperating intrusion detection agents
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Hi-index | 0.00 |
Complementary security systems are widely deployed in networks to protect digital assets.Alert correlation is essential to understanding the security threats and taking appropriate actions.This paper proposes a novel correlation approach based on triggering events and common resources. One of the key concepts in our approach is triggering events, whicha re the (low-level) events that trigger alerts.By grouping alerts that share "similar" triggering events, a set of alerts can be partitioned into different clusters such that the alerts in the same cluster may correspond to the same attack.Our approach further examines whether the alerts in each cluster are consistent with relevant network and host configurations, which help analysts to partially identify the severity of alerts and clusters.The other key concept in our approach is input and output resources. Intuitively, input resources are the necessary resources for an attack to succeed, and output resources are the resources that an attack supplies if successful.This paper proposes to model each attack through sopecifying input and output resources. By identifying the "common" resources between output resources of one attack and input resources of another, it discovers causal relationships between alert clusters and builds attack scenarios.The experimental results demonstrate the usefulness of the proposed techniques.