Algebra for Capability Based Attack Correlation

  • Navneet Kumar Pandey
  • S. K. Gupta
  • Shaveta Leekha
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5019)


Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a strong need to identify the algebraic and set properties of capability. In this work, we identify the potential algebraic properties of capability in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which will be helpful in making the system modular. This paper also presents variant of correlation algorithm by using these algebraic properties. To make these operations more realistic, existing capability model has been empowered by adding time-based notion which helps to avoid temporal ambiguity between capability instances. The comparison between basic model and proposed model is exhibited by demonstrating cases in which false positives have been removed that occurred due to temporal ambiguity.


intrusion detection capability model attack scenario 


  1. 1.
    Dawkins, J., Hale, J.: A systematic approach to multi-stage network attack analysis. In: Information Assurance Workshop, 2004. Proceedings. Second IEEE International, April 8-9, 2004, pp. 48–56 (2004)Google Scholar
  2. 2.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  3. 3.
    Gosh, A.K., Wanken, J., Charron, F.: Detecting anomalous and unknown intrusions against programs. In: ACSAC 1998: Proceedings of the 14th Annual Computer Security Applications Conference, Washington, DC, USA, p. 259. IEEE Computer Society, Los Alamitos (1998)Google Scholar
  4. 4.
    Javits, V.: The NIDES statistical component: Description and justification (March 1993),
  5. 5.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: SP 1997: Proceedings of the 1997 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 175. IEEE Computer Society, Los Alamitos (1997)Google Scholar
  6. 6.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251–261. ACM, New York, NY, USA (2003)Google Scholar
  7. 7.
    Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: alternative data models. Security and Privacy, 1999. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, 133–145 (1999)Google Scholar
  8. 8.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  9. 9.
    Neumann, P.G., Porras, P.A.: Experience with emerald to date. In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Berkeley, CA, USA, pp. 73–80. USENIX Association (1999)Google Scholar
  10. 10.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: LISA 1999: Proceedings of the 13th USENIX conference on System administration, Berkeley, CA, USA, pp. 229–238. USENIX Association (1999)Google Scholar
  11. 11.
    Vigna, G., Kemmerer, R.A.: Netstat: a network-based intrusion detection system. J. Comput. Secur. 7(1), 37–71 (1999)CrossRefGoogle Scholar
  12. 12.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: Statl: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1-2), 71–103 (2002)CrossRefGoogle Scholar
  13. 13.
    Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, pp. 360–369. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: NSPW 2000: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2000)Google Scholar
  15. 15.
    Zhou, J., Heckman, M., Reynolds, B., Carlson, A., Bishop, M.: Modeling network intrusion detection alerts for correlation. ACM Trans. Inf. System Secur. 10(1), 4 (2007)CrossRefGoogle Scholar
  16. 16.
    Pouget, F., Dacier, M.: Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institut Eurecom, France (December 2003)Google Scholar
  17. 17.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of rtid alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  18. 18.
    Michel, C., Mé, L.: Adele: an attack description language for knowledge-based intrustion detection. In: Sec 2001: Proceedings of the 16th international conference on Information security: Trusted information, pp. 353–368 (2001)Google Scholar
  19. 19.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 202. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  20. 20.
    Siraj, A., Vaughn, R.B.: Alert correlation with abstract incident modeling in a multi-sensor environment. IJCSNS International Journal of Computer Science and Network Security 7(8), 8–19 (2007)Google Scholar
  21. 21.
    Morin, B., Mé, L., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering, pp. 88–97. ACM, New York (2003)CrossRefGoogle Scholar
  23. 23.
    Yang, D., Chen, G., Wang, H., Liao, X.: Learning vector quantization neural network method for network intrusion detection. Wuhan University Journal of Natural Sciences 12(1), 147–150 (2007)CrossRefGoogle Scholar
  24. 24.
    Mehdi, M., Zair, S., Anou, A., Bensebti, M.: A bayesian networks in intrusion detection systems. Journal of Computer Science 3(5), 259–265 (2007)CrossRefGoogle Scholar
  25. 25.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2d2: A formal data model for ids alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. 7(2), 274–318 (2004)CrossRefGoogle Scholar
  27. 27.
    Li, N., Wang, Q.: Beyond separation of duty: an algebra for specifying high-level security policies. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 356–369. ACM, New York (2006)Google Scholar
  28. 28.
    Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur. 6(2), 286–325 (2003)CrossRefGoogle Scholar
  29. 29.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Navneet Kumar Pandey
    • 1
  • S. K. Gupta
    • 1
  • Shaveta Leekha
    • 1
  1. 1.Indian Institute of Technology DelhiDelhiIndia

Personalised recommendations