Abstract
The systems that are able to detect suspicious or malicious activities are a fundamental component in the security process of every organization. These systems generate alerts that correspond to individual events and, in general, these systems do not show the relationships between them. It is important to examine the security data within their overall context in order to better understand what is happening in our systems. In this work, we present a correlation model based on the concept of vector clocks. We also present a tool that is our implementation of this correlation mechanism. This tool can be used by security analysts to generate graphs showing the relationships between the reported events and possibly discovering unknown attack patterns.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bejtlich R (2005) The Tao of Network Security Monitoring. Beyond Intrusion Detection. Addison-Wesley, U.S.A.
Casey E (2006) Investigating Sophisticated Security Breaches. Communications of the ACM. Vol. 49. No. 2. U.S.A.
Chyssler T et al (2004) Alarm Reduction and Correlation in Defense of IP Networks. Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, WET ICE’04
Goodall J et al (2005) A User-Centered Approach to Visualizing Network Traffic for Intrusion Detection. Extended Abstracts of the ACM Conference on Human Factors in Computing Systems (CHI). ACM Press, 1403-1406. U.S.A.
Gomez R, Herrerias J, Mata E (2006) Using Lamport’s logical clocks to consolidate log files from different sources. Lecture Notes in Computer Science. Innovative Internet Community Systems. Springer Berlin Heidelberg. Vol. 3908/2006. 126-133
Graphviz - Graph Visualization Software, http://www.graphviz.org
Hideshima Y, Koike H (2006) STARMINE: A Visualization System for Cyber Attacks. Proceedings of the Asia Pacific symposium on Information visualization - Vol. 60. Australian Computer Society Inc., Australia
Jha S, Sheyner O, Wing J (2002) Two Formal Analyses of Attack Graphs. Proceedings of the 15th Computer Security Foundation Workshop IEEE. 49-63. U.S.A.
Koike H, Ohno K (2004) SnortView: Visualization System of Snort Logs. Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security VizSEC/DMSEC’04. ACM Press. U.S.A.
Komlodi A, Goodall J, Lutters W (2004) An Information Visualization Framework for Intrusion Detection. CHI’04 extended abstracts on Human factors in computing systems CHI’04. ACM Press. 1743. U.S.A.
Lamport L (1978) Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM. Vol. 21, No. 7. U.S.A.
Livnat Y, et al (2005) A Visualization Paradigm for Network Intrusion Detection. Proceedings of the 2005 IEEE workshop on Information Assurance and Security. United States Military Academy, West Point. NY, U.S.A.
Mattern F (1988) Virtual Time and Global States of Distributed Systems. Proceedings of the International workshop on Parallel and Distributed Algorithms. Elsevier Science Publishers. 215-226. Holland
MIT Lincoln Laboratory - DARPA Intrusion Detection Evaluation Documentation, http://www.ll.mit.edu/IST/ideval/docs/docs_index.html
Ning P, et al (2004) Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security (TISSEC). Vol. 7. Issue 2. 274-318. ACM Press, U.S.A.
Raynal M (1992) About logical clocks for distributed systems. ACM SIGOPS Operating Systems Review. Vol. 26. Issue 1. 41-48. ACM Press, U.S.A.
Snort - the de facto standard for intrusion detection/prevention, http://www.snort.org
Sun C, Cai W (2002) Capturing Causality by Compressed Vector Clock in Real-time Group Editors. Parallel and Distributed Processing Symposium. Proceedings International, IPDPS. 59-66. IEEE Computer Society. U.S.A.
Tannenbaum A, van Steen M (2007) Distributed Systems. Principles and Paradigms. Pearson Prentice Hall. U.S.A.
Templeton S, Levitt K (2001) A Requires/Provides Model for Computer Attacks. Proceedings of the 2000 workshop on new security paradigms. 31-38. ACM Press. U.S.A.
Tölle J, Niggemann O (2002) Supporting Intrusion Detection by Graph Clustering and Graph Drawing. Proceedings of the 3rd International workshop on Recent advances in Intrusion Detection
Vaarandi R (2002) SEC - A lightweight Event Correlation Tool. IEEE Workshop on IP Operations and Management IPOM. 111-115 IEEE
Valdes A, Skinner K (2001) Probabilistic Alert Correlation. Lecture Notes In Computer Science Vol. 2212. Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection. Springer-Verlang. 54-68. England
Viinikka J, et al (2006) Time Series Modeling for IDS Alert Management. Proceedings of the 2006 ACM Symposium on Information, computer and communications security. 102-113. ACM Press. U.S.A.
Xu D, Ning P (2005) Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach. 21st Computer Security Applications Conference
Zhu B, Ghorbani A (2006) Alert Correlation for Extracting Attack Strategies. International Journal of Network Security, Vol. 3, No. 3, 244-258
Zurutuza U, Uribeetxeberria R (2004) Intrusion Detection Alarm Correlation: A Survey. Proceedings of the IADAT International Conference on Telecommunications and Computer Networks
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Gomez, R., Rojas, J.C., Mata, E. (2010). VALI: A Visual Correlation Tool Based on Vector Clocks. In: Huebner, E., Zanero, S. (eds) Open Source Software for Digital Forensics. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5803-7_6
Download citation
DOI: https://doi.org/10.1007/978-1-4419-5803-7_6
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-5802-0
Online ISBN: 978-1-4419-5803-7
eBook Packages: Computer ScienceComputer Science (R0)