skip to main content
article

Modeling network intrusion detection alerts for correlation

Published: 01 February 2007 Publication History

Abstract

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.

References

[1]
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 1999. State of the Practice of Intrusion Detection Technologies. Tech. Rep. CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University. Jan.)
[2]
Anderson, J. P. 1980. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co.
[3]
Bass, T. 1999. Multisensor data fusion for next generation distributed intrusion detection systems. In Proceedings of the IRIS National Symposium on Sensor and Data Fusion.
[4]
Bass, T. 2000. Intrusion detection systems and multisensor data fusion. Communications of the ACM 43, 4, 99--105.
[5]
CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL.
[6]
Cheung, S., Lindqvist, U., and Fong, M. W. 2003. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C.
[7]
Cisco Systems Inc. Cisco intrusion prevention alert center, http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl.
[8]
Cormen, T. H., Leiserson, C. E., Rivest, R. L., and Stein, C. 2001. Introduction to Algorithms, 2nd ed. The MIT Press. Cambridge, MA.
[9]
Cui, Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis, North Carolina State University, Department of Computer Science.
[10]
Cuppens, F. and Miège, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium of Security and Privacy. 202.
[11]
Cuppens, F., Autrel, F., Miège, A., and Benherfat, S. 2002. Correlation in an intrusion detection process. In Proceedings of the SECI02 Workshop.
[12]
Debar, H. and Wespi, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection.
[13]
Denning, D. E. 1987. An intrusion detection model. IEEE Transaction of Software Engineering 13, 2, 222--232.
[14]
Dittrich, D., Weaver, G., Dietrich, S., and Long, N. 2000. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.
[15]
Eckmann, S., Vigna, G., and Kemmerer, R. 2002. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10, 1/2, 71--104.
[16]
Howard, J. D. 1997. An analysis of security incidents on the internet. Ph.D. thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213.
[17]
Internet Security Systems (ISS). X-force database, http://xforce.iss.net/xforce/search.php.
[18]
Lin, J.-L., Wang, X. S., and Jajodia, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the Computer Security Foundation Workshop.
[19]
Lippmann, R. P., Webster, S. E., and Stetson, D. 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection.
[20]
MIT Lincoln Lab. 2000. DARPA 2000 intrusion detection evaluation datasets. http://ideval.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
[21]
Morin, B., Mé, L., Debar, H., and Ducasse, M. 2002. M2d2: a formal data model for ids alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland.
[22]
Ning, P., Cui, Y., Reeves, D. S., and Xu, D. 2004. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security 7, 2 (May), 274--318.
[23]
Pouzol, J.-P. and Ducassé, M. 2002. Formal specifications of intrusion signatures and detection rules. In Proceedings of the Computer Security Foundation Workshop.
[24]
Purczynski, W. and Niewiadomski, J. 2003. wu-ftpd fb_realpath() off-by-one bug. http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt.
[25]
Ristenpart, T., Templeton, S., and Bishop, M. 2004. Time synchronization of aggregated heterogeneous logs. In Proceedings of the Student Workshop on Computing, Department of Computer Science, University of California, Davis, CA.
[26]
Roesch, M. 1999. Snort---lightweight intrusion detection for networks. In Proceedings of the USENIX Lisa Conference, Berkeley, CA.
[27]
SecurityFocus. 2004. Vulnerability database. http://www.securityfocus.com/bid.
[28]
Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium of Security and Privacy. Berkeley, CA.
[29]
Snort Inline. http://snort-inline.sourceforge.net/.
[30]
Tcpdump and Libpcap. http://www.tcpdump.org/.
[31]
Templeton, S. J. and Levitt, K. 2000. A requires/provides model for computer attacks. In Proceedings of the Workshop on New Security Paradigms. 31--38.
[32]
The Honeypot Project. 2001. Know your enemy: Revealing the security tools, tactics, and motives of the blackhat community. http://www.honeynet.org.
[33]
The OpenSSL Project. 2002. OpenSSL security advisory {30 July 2002}. http://www.openssl.org/news/secadv_20020730.txt.
[34]
Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Number 2212 in Lecture Notes in Computer Science. Springer-Verlag, New York.
[35]
Zhou, J., Carlson, A., and Bishop, M. 2005. Verify results of network intrusion alerts using lightweight protocol analysis. In Proceedings of the Annual Computer Security Applications Conference, Tucson, AZ.

Cited By

View all
  • (2024)A Deep Learning Approach for the Detection of Intrusions with an Ensemble Feature Selection MethodSN Computer Science10.1007/s42979-024-03288-05:7Online publication date: 1-Oct-2024
  • (2024)Measurement of optical fiber sensors for intrusion detection and warning systems fortified with intelligent false alarm suppressionOptical and Quantum Electronics10.1007/s11082-024-06797-756:6Online publication date: 17-Apr-2024
  • (2022)BlackEye: automatic IP blacklisting using machine learning from security logsWireless Networks10.1007/s11276-019-02201-528:2(937-948)Online publication date: 1-Feb-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 10, Issue 1
February 2007
106 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1210263
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 February 2007
Published in TISSEC Volume 10, Issue 1

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Alert correlation
  2. alert fusion
  3. capability
  4. intrusion detection

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)1
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Deep Learning Approach for the Detection of Intrusions with an Ensemble Feature Selection MethodSN Computer Science10.1007/s42979-024-03288-05:7Online publication date: 1-Oct-2024
  • (2024)Measurement of optical fiber sensors for intrusion detection and warning systems fortified with intelligent false alarm suppressionOptical and Quantum Electronics10.1007/s11082-024-06797-756:6Online publication date: 17-Apr-2024
  • (2022)BlackEye: automatic IP blacklisting using machine learning from security logsWireless Networks10.1007/s11276-019-02201-528:2(937-948)Online publication date: 1-Feb-2022
  • (2021)Generate Signature for Polymorphic Worm: A Real-Time Honeypot ApproachProceedings of 6th International Conference on Recent Trends in Computing10.1007/978-981-33-4501-0_26(269-280)Online publication date: 21-Apr-2021
  • (2020)HAL-RDProceedings of the 35th Annual ACM Symposium on Applied Computing10.1145/3341105.3373911(1726-1735)Online publication date: 30-Mar-2020
  • (2020)A Social Crowdsourcing Community Case Study: Interaction Patterns, Evolution, and Factors That Affect ThemIEEE Transactions on Computational Social Systems10.1109/TCSS.2020.29816087:3(659-671)Online publication date: Jun-2020
  • (2018)A systematic survey on multi-step attack detectionComputers & Security10.1016/j.cose.2018.03.00176(214-249)Online publication date: Jul-2018
  • (2017)Empirical Analysis and Validation of Security Alerts Filtering TechniquesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.2714164(1-1)Online publication date: 2017
  • (2017)A multi-step attack-correlation method with privacy protectionJournal of Communications and Information Networks10.1007/BF033915861:4(133-142)Online publication date: 27-Apr-2017
  • (2016)A privacy-preserving multi-step attack correlation algorithm2016 IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC)10.1109/IMCEC.2016.7867441(1389-1393)Online publication date: Oct-2016
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media