Abstract
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Therefore, it is necessary to develop techniques to construct attack scenarios (i.e., steps that attackers use in their attacks) from alerts to facilitate intrusion analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
R. Agrawal, T. Imielinski, and A. N. Swami. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data, pages 207–216, 1993.
P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217–224, November 2002.
J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, 1980.
R. G. Bace. Intrusion Detection. Macmillan Technology Publishing, Indianapolis, 2000.
F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proceedings of Recent Advances in Intrusion Detection (RAID 2000), pages 197–216, September 2000.
O. Dain and R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1–13, November 2001.
H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85–103, 2001.
DEFCON. Def con capture the flag (CTF) contest. http://www.defcon.org/html/defcon-8-post.html, July 2000. Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/.
S. T. Eckmann, G. Vigna, and R. A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1/2):71–104, 2002.
R. Gardner and D. Harle. Pattern discovery and specification translation for alarm correlation. In Proceedings of Network Operations and Management Symposium (NOMS’98), pages 713–722, February 1998.
B. Gruschke. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management, October 1998.
K. Ilgun, R. A. Kemmerer, and P. A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering, 21(3):181–199, 1995.
D. A. Jackson, K. M. Somers, and H. H. Harvey. Similarity coefficients: Measures of co-occurence and association or simply measures of occurrence? The American Naturalist, 133(3):436–453, March 1989.
A. K. Jain and R. C. Dubes. Algorithms for Clustering Data. Prentice Hall, Englewood Cliffs, 1988.
S. Jha, O. Sheyner, and J. M. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop, June 2002.
K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pages 12–21, December 2001.
S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue University, August 1995.
S. Kumar and E. H. Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11–21, October 1994.
J. Lin, X. S. Wang, and S. Jajodia. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, pages 190–201, Rockport, MA, June 1998.
S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A data mining analysis of RTID alarms. Computer Networks, 34:571–577, 2000.
MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html, 2000.
B. Morin, L. M\(\acute{\text{ e}}\), H. Debar, and M. Ducass\(\acute{\text{ e}}\). M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115–137, 2002.
B. Mukherjee, L. T. Heberlein, and K. N. Levitt. Network intrusion detection. IEEE Network, 8(3):26–41, May 1994.
P. Ning, Y. Cui, and D. S Reeves. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 74–94, Zurich, Switzerland, October 2002.
P. Ning, Y. Cui, and D. S Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245–254, Washington, D.C., November 2002.
P. Ning and D. Xu. Adapting query optimization techniques for efficient intrusion alert correlation. In Proceedings of the 17th IFIP WG 11.3 Working Conference on Data and Application Security (DAS ’03), August 2003.
P. Ning and D. Xu. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 200–209, October 2003.
Packet storm. http://packetstormsecurity.nl. Accessed on April 30, 2003.
P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.
P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95–114, 2002.
C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1/2):189–209, 2002.
L. Ricciulli and N. Shacham. Modeling correlated alarms in network management systems. In In Western Simulation Multiconference, 1997.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105–136, 2002.
S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31 – 38. ACM Press, September 2000.
A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54–68, 2001.
G. Vigna and R. A. Kemmerer. NetSTAT: A network-based intrusion detection system. Journal of Computer Security, 7(1):37–71, 1999.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Ning, P., Xu, D. (2010). Toward Automated Intrusion Alert Analysis. In: Huang, SH., MacCallum, D., Du, DZ. (eds) Network Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-73821-5_8
Download citation
DOI: https://doi.org/10.1007/978-0-387-73821-5_8
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-73820-8
Online ISBN: 978-0-387-73821-5
eBook Packages: Computer ScienceComputer Science (R0)