Skip to main content
SpringerLink
Log in

Toward Automated Intrusion Alert Analysis

  • Chapter
  • First Online:
Network Security

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Therefore, it is necessary to develop techniques to construct attack scenarios (i.e., steps that attackers use in their attacks) from alerts to facilitate intrusion analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. R. Agrawal, T. Imielinski, and A. N. Swami. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data, pages 207–216, 1993.

    Google Scholar 

  2. P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217–224, November 2002.

    Google Scholar 

  3. J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, 1980.

    Google Scholar 

  4. R. G. Bace. Intrusion Detection. Macmillan Technology Publishing, Indianapolis, 2000.

    Google Scholar 

  5. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.

    Google Scholar 

  6. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.

    Google Scholar 

  7. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proceedings of Recent Advances in Intrusion Detection (RAID 2000), pages 197–216, September 2000.

    Google Scholar 

  8. O. Dain and R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1–13, November 2001.

    Google Scholar 

  9. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85–103, 2001.

    Google Scholar 

  10. DEFCON. Def con capture the flag (CTF) contest. http://www.defcon.org/html/defcon-8-post.html, July 2000. Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/.

  11. S. T. Eckmann, G. Vigna, and R. A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1/2):71–104, 2002.

    Google Scholar 

  12. R. Gardner and D. Harle. Pattern discovery and specification translation for alarm correlation. In Proceedings of Network Operations and Management Symposium (NOMS’98), pages 713–722, February 1998.

    Google Scholar 

  13. B. Gruschke. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management, October 1998.

    Google Scholar 

  14. K. Ilgun, R. A. Kemmerer, and P. A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering, 21(3):181–199, 1995.

    Article  Google Scholar 

  15. D. A. Jackson, K. M. Somers, and H. H. Harvey. Similarity coefficients: Measures of co-occurence and association or simply measures of occurrence? The American Naturalist, 133(3):436–453, March 1989.

    Article  Google Scholar 

  16. A. K. Jain and R. C. Dubes. Algorithms for Clustering Data. Prentice Hall, Englewood Cliffs, 1988.

    MATH  Google Scholar 

  17. S. Jha, O. Sheyner, and J. M. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop, June 2002.

    Google Scholar 

  18. K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pages 12–21, December 2001.

    Google Scholar 

  19. S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue University, August 1995.

    Google Scholar 

  20. S. Kumar and E. H. Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11–21, October 1994.

    Google Scholar 

  21. J. Lin, X. S. Wang, and S. Jajodia. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, pages 190–201, Rockport, MA, June 1998.

    Google Scholar 

  22. S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A data mining analysis of RTID alarms. Computer Networks, 34:571–577, 2000.

    Article  Google Scholar 

  23. MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html, 2000.

  24. B. Morin, L. M\(\acute{\text{ e}}\), H. Debar, and M. Ducass\(\acute{\text{ e}}\). M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115–137, 2002.

    Google Scholar 

  25. B. Mukherjee, L. T. Heberlein, and K. N. Levitt. Network intrusion detection. IEEE Network, 8(3):26–41, May 1994.

    Article  Google Scholar 

  26. P. Ning, Y. Cui, and D. S Reeves. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 74–94, Zurich, Switzerland, October 2002.

    Google Scholar 

  27. P. Ning, Y. Cui, and D. S Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245–254, Washington, D.C., November 2002.

    Google Scholar 

  28. P. Ning and D. Xu. Adapting query optimization techniques for efficient intrusion alert correlation. In Proceedings of the 17th IFIP WG 11.3 Working Conference on Data and Application Security (DAS ’03), August 2003.

    Google Scholar 

  29. P. Ning and D. Xu. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 200–209, October 2003.

    Google Scholar 

  30. Packet storm. http://packetstormsecurity.nl. Accessed on April 30, 2003.

  31. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.

    Google Scholar 

  32. P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95–114, 2002.

    Google Scholar 

  33. C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1/2):189–209, 2002.

    Google Scholar 

  34. L. Ricciulli and N. Shacham. Modeling correlated alarms in network management systems. In In Western Simulation Multiconference, 1997.

    Google Scholar 

  35. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.

    Google Scholar 

  36. S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105–136, 2002.

    Google Scholar 

  37. S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31 – 38. ACM Press, September 2000.

    Google Scholar 

  38. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54–68, 2001.

    Google Scholar 

  39. G. Vigna and R. A. Kemmerer. NetSTAT: A network-based intrusion detection system. Journal of Computer Security, 7(1):37–71, 1999.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, North Carolina State University, Raleigh, NC, 27695, USA

    Peng Ning

Authors
  1. Peng Ning
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dingbang Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peng Ning .

Editor information

Editors and Affiliations

  1. , Department of Computer Science, City University of Hong Kong, Tat Chee Avenue 83, Hong Kong, 0, Hong Kong/PR China

    Scott C.-H. Huang

  2. , Computer Science and Engineering, University of Minnesota, Union Street SE., 200, Minneapolis, 55455-0000, USA

    David MacCallum

  3. Erik Jonsson School of Engineering &, Computer Science, University of Texas, Dallas, W. Campbell Road 800, Richardson, 75080, USA

    Ding-Zhu Du

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Ning, P., Xu, D. (2010). Toward Automated Intrusion Alert Analysis. In: Huang, SH., MacCallum, D., Du, DZ. (eds) Network Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-73821-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-73821-5_8

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-73820-8

  • Online ISBN: 978-0-387-73821-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation