Skip to main content
SpringerLink
Log in

A Correlation Approach to Intrusion Detection

  • Conference paper
Book cover Mobile Lightweight Wireless Systems (Mobilight 2010)

Included in the following conference series:

Abstract

In this paper we discuss the limitations of current Intrusion Detection System technology, and propose a hierarchical event correlation approach to overcome such limitations. The proposed solution allows to detect attack scenarios by collecting diverse information at several architectural levels, using distributed security probes, which is then used to perform complex event correlation of intrusion symptoms. The escalation process from intrusion symptoms to the identified target and cause of the intrusion is driven by an ontology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. on Information and System Security 3(3), 186–205 (2000)

    Article  MathSciNet  Google Scholar 

  2. Manganaris, S., Christensen, M., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)

    Article  Google Scholar 

  3. Hervé, D., Dacier, M.: Towards a taxonomy of intrusion-detection systems. The Journal of Computer and Telecommunications Networking 9, 805–822 (1999)

    Google Scholar 

  4. Kemmerer, R., Vigna, G.: Intrusion detection: a brief history and overview. IEEE Computer 35(4), 27–30 (2002)

    Article  Google Scholar 

  5. Majorczyk, F., Totel, E., Mé, L.: Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs. In: IFIP International Federation for Information Processing. LNCS, vol. 278, pp. 301–315. Springer, Boston (2008)

    Google Scholar 

  6. Ning, P., Cui, Y., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. on Information and System Security 7(2), 274–318 (2004)

    Article  Google Scholar 

  7. Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. on Information and System Security 6(4), 443–471 (2003)

    Article  Google Scholar 

  8. Yu, D., Frincke, D.: Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory. In: Proc. of the 43rd ACM Southeast Regional Conference, vol. 2, pp. 142–147 (May 2005)

    Google Scholar 

  9. Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  10. The OWASP Top 10 Web attacks (December 2009), http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  11. Valeur, F., Vigna, G., Kruegel, C.: A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–169 (2004)

    Article  Google Scholar 

  12. Totel, E., Majorczyk, F., Mé, L.: COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Haibin, M., Jian, G.: Intrusion Alert Correlation based on D-S Evidence Theory. In: Proc. of the 2th Int. Conf. on Communications and Networking (CHINACOM 2007), pp. 377–381. IEEE CS Press, Los Alamitos (August 2007)

    Google Scholar 

  14. Bondavalli, A., Ceccarelli, A., Falai, L.: Assuring Resilient Time Synchronization. In: Proc. of the IEEE Symposium on Reliable Distributed Systems (SRDS 2008), pp. 3–12. IEEE CS Press, Los Alamitos (October 2008 )

    Google Scholar 

  15. Ficco, M., Coppolino, L., Romano, L.: A Weight-Based Symptom Correlation Approach to SQL Injection Attacks. In: Proc. of the 4th Latin-American Symposium on Dependable Computing (LADC 2009). IEEE CS Press, Los Alamitos (September 2009)

    Google Scholar 

  16. Scalp: Apache log analyzer, http://code.google.com/p/apache-scalp/ (last update September 2009)

  17. JMeter: Java application designed to load test web applications, http://javaboutique.internet.com/tutorials/JMeter/

  18. Coral8 Engine,, at http://www.aleri.com/sites/default/files/assets/product_literature/Coral8%20Engine.pdf (last access October 2009)

  19. Oracle CEP, http://www.watersonline.com/public/showPage.html?page=800767 (last access December 2009)

  20. The Borealis project, http://www.cs.brown.edu/research/borealis/public/ (last access February 2010)

Download references

Author information

Authors and Affiliations

  1. Dipartimento per le Tecnologie, Universita’ degli Studi di Napoli “Parthenope”, Centro Direzionale di Napoli, Italy

    Massimo Ficco

  2. Laboratorio ITeM, Consorzio Interuniversitario Nazionale per l’Informatica (CINI), Via Cinthia - Edificio 1, 80126, Napoli, Italy

    Luigi Romano

Authors
  1. Massimo Ficco
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luigi Romano
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Informatics, Technological Educational Institution of Thessaloniki, 57400, Sindos, Thessaloniki, Greece

    Periklis Chatzimisios

  2. Centre Tecnològic de Telecomunications de Catalunya, Parc Mediterrani de la Tecnologia, 08860, Castellfels, Barcelona, Spain

    Christos Verikoukis

  3. Dpto. Ingeniería de Comunicaciones, Universidad de Cantabria, 39005, Santander, Spain

    Ignacio Santamaría

  4. Texas A&M University, 75505-5518, Texarkana, TX, USA

    Massimiliano Laddomada

  5. TU Dortmund, Lehrstuhl für Kommunikationstechnik, Otto-Hahn-Str, 44221, Dortmund, Germany

    Oliver Hoffmann

Rights and permissions

Reprints and permissions

Copyright information

© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Ficco, M., Romano, L. (2010). A Correlation Approach to Intrusion Detection. In: Chatzimisios, P., Verikoukis, C., Santamaría, I., Laddomada, M., Hoffmann, O. (eds) Mobile Lightweight Wireless Systems. Mobilight 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 45. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16644-0_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16644-0_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16643-3

  • Online ISBN: 978-3-642-16644-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation