Alert Correlation through Triggering Events and Common Resources

Authors:
Dingbang Xu;Peng Ning
Affiliations:
North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC
Venue:
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Year:
2004

Citing 0
Cited 13

Design and Analysis of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID Environments

ANSS '06 Proceedings of the 39th annual Symposium on Simulation
On the Design and Performance of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID and Collaborative Workflow Environments

Simulation
Information Assurance: Dependability and Security in Networked Systems

Information Assurance: Dependability and Security in Networked Systems
High level information fusion for tracking and projection of multistage cyber attacks

Information Fusion
Real-Time Alert Correlation with Type Graphs

ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts

Computer Communications
Towards identifying true threat from network security data

PAISI'07 Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics
Algebra for capability based attack correlation

WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
Proposing a multi-touch interface for intrusion detection environments

Proceedings of the Seventh International Symposium on Visualization for Cyber Security
The attackers' potential influence on the tactical assessments produced by standard alert correlation systems

NPSEC'05 Proceedings of the First international conference on Secure network protocols
A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs

Computer Networks: The International Journal of Computer and Telecommunications Networking
Alert correlation in collaborative intelligent intrusion detection systems-A survey

Applied Soft Computing
Requirements of information reductions for cooperating intrusion detection agents

ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Complementary security systems are widely deployed in networks to protect digital assets.Alert correlation is essential to understanding the security threats and taking appropriate actions.This paper proposes a novel correlation approach based on triggering events and common resources. One of the key concepts in our approach is triggering events, whicha re the (low-level) events that trigger alerts.By grouping alerts that share "similar" triggering events, a set of alerts can be partitioned into different clusters such that the alerts in the same cluster may correspond to the same attack.Our approach further examines whether the alerts in each cluster are consistent with relevant network and host configurations, which help analysts to partially identify the severity of alerts and clusters.The other key concept in our approach is input and output resources. Intuitively, input resources are the necessary resources for an attack to succeed, and output resources are the resources that an attack supplies if successful.This paper proposes to model each attack through sopecifying input and output resources. By identifying the "common" resources between output resources of one attack and input resources of another, it discovers causal relationships between alert clusters and builds attack scenarios.The experimental results demonstrate the usefulness of the proposed techniques.