Skip to main content
SpringerLink
Log in

Statistical Causality Analysis of Infosec Alert Data

  • Chapter
Managing Cyber Threats

Part of the book series: Massive Computing ((MACO,volume 5))

Abstract

With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antiviras software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets, the 2000 DARPA Intrusion Detection Scenario datasets, and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study. In Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM 2001), May 2001.

    Google Scholar 

  2. J. B. D. Cabrera and R. K. Mehra. Extracting precursor rules from time series-a classical statistical viewpoint. In Proceedings of the Second SIAM International Conference on Data Mining, pages 213–228, Arlington VA,USA, April 2002.

    Google Scholar 

  3. J.B.D. Cabrera, L. Lewis, X. Qin, W. Lee, and R.K. Mehra. Proactive intrusion detection and distributed denial of service attacks-a case study in security management. Journal of Network and Systems Management, vol. 10 (no. 2), June 2002.

    Google Scholar 

  4. S. Cheung, U. Lindqvist, and M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C., April 2003.

    Google Scholar 

  5. F. Cuppens and A. Miège. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 202–215, Oakland, CA, May 2002.

    Google Scholar 

  6. DAPRA Cyber Panel Program. DARPA cyber panel program grand challenge problem (GCP). http://ia.dc.teknowledge.com/CyP/GCP/, 2003.

    Google Scholar 

  7. H. Debar and A. Wespi. The intrusion-detection console correlation mechanism. In 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.

    Google Scholar 

  8. DEFCON. Def con capture the flag (ctf) contest. http://www.defcon.org. Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/, 2000.

    Google Scholar 

  9. DEFCON. Def con capture the flag (ctf) contest, http://www.defcon.org. Archive accessible at http://smokeping.planetmirror.com/pub/cctf/defcon9/, 2001.

    Google Scholar 

  10. R.P. Goldman, W. Heimerdinger, and S. A. Harp. Information modleing for intrusion report aggregation. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.

    Google Scholar 

  11. C.W.J. Granger. Investigating causal relations by econometric methods and cross-spectral methods. Econometrica, 34:424–428, 1969.

    Google Scholar 

  12. IETF Intrusion Detection Working Group. Intrusion detection message exchange format. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-09.txt, 2002.

    Google Scholar 

  13. J. Haines, D. K. Ryder, L. Tinnel, and S. Taylor. Validation of sensor alert correlators. IEEE Security & Privacy Magazine, January/February, 2003.

    Google Scholar 

  14. J. Hamilton. Time Series Analysis. Princeton University Press, 1994.

    Google Scholar 

  15. A.J. Hayter. Probability and Statistics for Engineers and Scientists. Duxbury Press, 2002.

    Google Scholar 

  16. G. Jakobson and M. D. Weissman. Alarm correlation. IEEE Network Magazine, November 1993.

    Google Scholar 

  17. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.

    Google Scholar 

  18. S. Kliger, S. Yemini, Y. Yemini, D. Oshie, and S. Stolfo. A coding approach to event correlations. In Proceedings of the 6th IFIF’/IEEE International Symposium on Integrated Network Management, May 1995.

    Google Scholar 

  19. L. Lewis. A case-based reasoning approach to the management of faults in communication networks. In Proceedings of the IEEE INFOCOM, 1993.

    Google Scholar 

  20. G.M. Ljung and G.E.P. Box. On a measure of lack of fit in time series models. In Biometrika 65, pages 297–303, 1978.

    Article  Google Scholar 

  21. MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000-data-index.html, 2000.

    Google Scholar 

  22. P. Ning, Y. Cui, and D.S. Reeves. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

    Google Scholar 

  23. P. Ning, Y. Cui, and D.S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security, November 2002.

    Google Scholar 

  24. Y. A. Nygate. Event correlation using rule and object based techniques. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1995.

    Google Scholar 

  25. J. Pearl. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, Inc, 1988.

    Google Scholar 

  26. P. A. Porras, M. W. Fong, and A. Valdes. A Mission-Impact-Based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

    Google Scholar 

  27. Snort. http://www.snort.org.

    Google Scholar 

  28. W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, 1999.

    Google Scholar 

  29. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computing, Georgia Institute of Technology, USA

    Wenke Lee & Xinzhou Qin

Authors
  1. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinzhou Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Minnesota, USA

    Vipin Kumar , Jaideep Srivastava  & Aleksandar Lazarevic ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer Science+Business Media, Inc.

About this chapter

Cite this chapter

Lee, W., Qin, X. (2005). Statistical Causality Analysis of Infosec Alert Data. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds) Managing Cyber Threats. Massive Computing, vol 5. Springer, Boston, MA. https://doi.org/10.1007/0-387-24230-9_4

Download citation

  • DOI: https://doi.org/10.1007/0-387-24230-9_4

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-24226-2

  • Online ISBN: 978-0-387-24230-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation