ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Modeling network intrusion detection alerts for correlation
Full text PdfPdf (287 KB)
Source
ACM Transactions on Information and System Security (TISSEC) archive
Volume 10 ,  Issue 1  (February 2007) table of contents
Article No. 4  
Year of Publication: 2007
ISSN:1094-9224
Authors
Jingmin Zhou  University of California, Davis, CA
Mark Heckman  Promia, Inc., Davis, CA
Brennen Reynolds  Promia, Inc., Davis, CA
Adam Carlson  University of California, Davis, CA
Matt Bishop  University of California, Davis, CA
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 48,   Downloads (12 Months): 723,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1210263.1210267
What is a DOI?

ABSTRACT

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 1999. State of the Practice of Intrusion Detection Technologies. Tech. Rep. CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University. Jan.)
 
2
Anderson, J. P. 1980. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co.
 
3
Bass, T. 1999. Multisensor data fusion for next generation distributed intrusion detection systems. In Proceedings of the IRIS National Symposium on Sensor and Data Fusion.
4
Tim Bass, Intrusion detection systems and multisensor data fusion, Communications of the ACM, v.43 n.4, p.99-105, April 2000  [doi>10.1145/332051.332079]
 
5
CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL.
 
6
Cheung, S., Lindqvist, U., and Fong, M. W. 2003. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C.
 
7
Cisco Systems Inc. Cisco intrusion prevention alert center, http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl.
 
8
Thomas H. Cormen , Clifford Stein , Ronald L. Rivest , Charles E. Leiserson, Introduction to Algorithms, McGraw-Hill Higher Education, 2001
 
9
Cui, Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis, North Carolina State University, Department of Computer Science.
 
10
Frédéric Cuppens , Alexandre Miège, Alert Correlation in a Cooperative Intrusion Detection Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.202, May 12-15, 2002
 
11
Cuppens, F., Autrel, F., Miège, A., and Benherfat, S. 2002. Correlation in an intrusion detection process. In Proceedings of the SECI02 Workshop.
 
12
Hervé Debar , Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.85-103, October 10-12, 2001
 
13
Dorothy E. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, February 1987  [doi>10.1109/TSE.1987.232894]
 
14
Dittrich, D., Weaver, G., Dietrich, S., and Long, N. 2000. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.
 
15
Steven T. Eckmann , Giovanni Vigna , Richard A. Kemmerer, STATL: an attack language for state-based intrusion detection, Journal of Computer Security, v.10 n.1-2, p.71-103, 2002
 
16
John Douglas Howard, An analysis of security incidents on the Internet 1989-1995, Carnegie Mellon University, Pittsburgh, PA, 1998
 
17
Internet Security Systems (ISS). X-force database, http://xforce.iss.net/xforce/search.php.
 
18
J. Lin , X. Wang , S. Jajodia, Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies, Proceedings of the 11th IEEE workshop on Computer Security Foundations, p.190, June 09-11, 1998
 
19
Lippmann, R. P., Webster, S. E., and Stetson, D. 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection.
 
20
MIT Lincoln Lab. 2000. DARPA 2000 intrusion detection evaluation datasets. http://ideval.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
 
21
Morin, B., Mé, L., Debar, H., and Ducasse, M. 2002. M2d2: a formal data model for ids alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland.
22
Peng Ning , Yun Cui , Douglas S. Reeves , Dingbang Xu, Techniques and tools for analyzing intrusion alerts, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.274-318, May 2004  [doi>10.1145/996943.996947]
 
23
Jean-Philippe Pouzol , Mireille Ducassé, Formal Specification of Intrusion Signatures and Detection Rules, Proceedings of the 15th IEEE workshop on Computer Security Foundations, p.64, June 24-26, 2002
 
24
Purczynski, W. and Niewiadomski, J. 2003. wu-ftpd fb_realpath() off-by-one bug. http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt.
 
25
Ristenpart, T., Templeton, S., and Bishop, M. 2004. Time synchronization of aggregated heterogeneous logs. In Proceedings of the Student Workshop on Computing, Department of Computer Science, University of California, Davis, CA.
 
26
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
27
SecurityFocus. 2004. Vulnerability database. http://www.securityfocus.com/bid.
 
28
Oleg Sheyner , Joshua Haines , Somesh Jha , Richard Lippmann , Jeannette M. Wing, Automated Generation and Analysis of Attack Graphs, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.273, May 12-15, 2002
 
29
Snort Inline. http://snort-inline.sourceforge.net/.
 
30
Tcpdump and Libpcap. http://www.tcpdump.org/.
31
Steven J. Templeton , Karl Levitt, A requires/provides model for computer attacks, Proceedings of the 2000 workshop on New security paradigms, p.31-38, September 18-21, 2000, Ballycotton, County Cork, Ireland  [doi>10.1145/366173.366187]
 
32
The Honeypot Project. 2001. Know your enemy: Revealing the security tools, tactics, and motives of the blackhat community. http://www.honeynet.org.
 
33
The OpenSSL Project. 2002. OpenSSL security advisory {30 July 2002}. http://www.openssl.org/news/secadv_20020730.txt.
 
34
Alfonso Valdes , Keith Skinner, Probabilistic Alert Correlation, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.54-68, October 10-12, 2001
 
35
Jingmin Zhou , Adam J. Carlson , Matt Bishop, Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis, Proceedings of the 21st Annual Computer Security Applications Conference, p.117-126, December 05-09, 2005  [doi>10.1109/CSAC.2005.62]

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.2 Design Tools and Techniques
          Subjects: Object-oriented design methods

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.2 Design Tools and Techniques
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls


General Terms:
Algorithms, Design, Security


Keywords:
Alert correlation, alert fusion, capability, intrusion detection

Collaborative Colleagues:
Jingmin Zhou: colleagues
Mark Heckman: colleagues
Brennen Reynolds: colleagues
Adam Carlson: colleagues
Matt Bishop: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player