Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2002: Recent Advances in Intrusion Detection pp 115–137Cite as

M2D2: A Formal Data Model for IDS Alert Correlation

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Abstract

At present, alert correlation techniques do not make full use of the information that is available. We propose a data model for IDS alert correlation called M2D2. It supplies four information types: information related to the characteristics of the monitored information system, information about the vulnerabilities, information about the security tools used for the monitoring, and information about the events observed. M2D2 is formally defined. As far as we know, no other formal model includes the vulnerability and alert parts of M2D2. Three examples of correlations are given. They are rigorously specified using the formal definition of M2D2. As opposed to already published correlation methods, these examples use more than the events generated by security tools; they make use of many concepts formalized in M2D2.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. G. Jakobson and M. D. Weissman. Alarm correlation. IEEE Network Magazine, pages 52–60, 1993.

    Google Scholar 

  2. J. McHugh. Intrusion and intrusion detection. International Journal of Information Security, July 2001.

    Google Scholar 

  3. Icat vulnerabilities database. http://icat.nist.gov/icat.cfm.

  4. G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection approach. In Proceedings of the 14th Annual Computer Security Application Conference, December 1998.

    Google Scholar 

  5. G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, February 1999.

    Google Scholar 

  6. R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. In Proceedings of the DARPA Information Survivability Conference and Exposition, June 2001.

    Google Scholar 

  7. G. Vigna. A topological characterization of tcp/ip security. Technical Report TR-96.156, Politecnico di Milano, 1996.

    Google Scholar 

  8. J.-R. Abrial. The B Book: Assigning programs to meanings. Cambridge University Press, 1996.

    Google Scholar 

  9. R. Shirey. Internet security glossary. RFC2828, 2000.

    Google Scholar 

  10. J. Arlat, J.P. Blanquart, A. Costes, Y. Crouzet, Y. Deswarte, J.C. Fabre, H. Guillermain, M. Kaaniche, K. Kanoun, J.C. Laprie, C. Mazet, D. Powell, C. Rabejac, and P. Thévenod. Guide de la sureté de fonctionnement. Cepadues editions, 1995.

    Google Scholar 

  11. D. E. Mann and S. M. Christey. Towards a common enumeration of vulnerabilities. In Proceedings of the 2nd Workshop on Research with Security Vulnerability Databases, January 1999.

    Google Scholar 

  12. Dave Curry and Hervé Debar. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet Draft (work in progress), December 2001. http://search.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt.

  13. Hervé Debar and Andreas Wespi. Aggregation and correlation of intrusion-detection alerts. In Wenke Lee, Ludovic Mé, and Andreas Wespi, editors, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), number 2212 in Lecture Notes in Computer Science, pages 85–103, Davis, CA, USA, October 2001. Springer.

    Chapter  Google Scholar 

  14. J. D. Howard and T. A. Longstaff. A common language for computer security incidents. CERT-SAND98-8667, http://www.cert.org/research/taxonomy_988667.pdf, 1998.

  15. F. Cuppens. Managing alerts in multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC’01), 2001.

    Google Scholar 

  16. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.

    Google Scholar 

  17. Frédéric Cuppens and Rodolphe Ortalo. Lambda: A language to model a database for detection of attacks. In H. Debar, L. Mé, and S. F. Wu, editors, Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), number 1907 in LNCS, pages 197–216, October 2000.

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. France Télécom R&D, Caen, France

    Benjamin Morin & Hervé Debar

  2. Supélec, Rennes, France

    Ludovic Mé

  3. IRISA/INSA, Rennes, France

    Mireille Ducassé

Authors
  1. Benjamin Morin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ludovic Mé
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mireille Ducassé
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstraße 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

  2. Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Giovanni Vigna

  3. Centro Serra, University of Pisa, Lungarno Pacinotti 43, 56100, Pisa, Italy

    Luca Deri

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Morin, B., Mé, L., Debar, H., Ducassé, M. (2002). M2D2: A Formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_7

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_7

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation