In this paper we discuss the limitations of current Intrusion Detection System technology, and propose a hierarchical event correlation approach to overcome such limitations. The proposed solution allows to detect attack scenarios by collecting diverse information at several architectural levels, using distributed security probes, which is then used to perform complex event correlation of intrusion symptoms. The escalation process from intrusion symptoms to the identified target and cause of the intrusion is driven by an ontology.


detection fusion correlation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. on Information and System Security 3(3), 186–205 (2000)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Manganaris, S., Christensen, M., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  3. 3.
    Hervé, D., Dacier, M.: Towards a taxonomy of intrusion-detection systems. The Journal of Computer and Telecommunications Networking 9, 805–822 (1999)Google Scholar
  4. 4.
    Kemmerer, R., Vigna, G.: Intrusion detection: a brief history and overview. IEEE Computer 35(4), 27–30 (2002)CrossRefGoogle Scholar
  5. 5.
    Majorczyk, F., Totel, E., Mé, L.: Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs. In: IFIP International Federation for Information Processing. LNCS, vol. 278, pp. 301–315. Springer, Boston (2008)Google Scholar
  6. 6.
    Ning, P., Cui, Y., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. on Information and System Security 7(2), 274–318 (2004)CrossRefGoogle Scholar
  7. 7.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. on Information and System Security 6(4), 443–471 (2003)CrossRefGoogle Scholar
  8. 8.
    Yu, D., Frincke, D.: Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory. In: Proc. of the 43rd ACM Southeast Regional Conference, vol. 2, pp. 142–147 (May 2005)Google Scholar
  9. 9.
    Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    The OWASP Top 10 Web attacks (December 2009),
  11. 11.
    Valeur, F., Vigna, G., Kruegel, C.: A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–169 (2004)CrossRefGoogle Scholar
  12. 12.
    Totel, E., Majorczyk, F., Mé, L.: COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Haibin, M., Jian, G.: Intrusion Alert Correlation based on D-S Evidence Theory. In: Proc. of the 2th Int. Conf. on Communications and Networking (CHINACOM 2007), pp. 377–381. IEEE CS Press, Los Alamitos (August 2007)Google Scholar
  14. 14.
    Bondavalli, A., Ceccarelli, A., Falai, L.: Assuring Resilient Time Synchronization. In: Proc. of the IEEE Symposium on Reliable Distributed Systems (SRDS 2008), pp. 3–12. IEEE CS Press, Los Alamitos (October 2008 )Google Scholar
  15. 15.
    Ficco, M., Coppolino, L., Romano, L.: A Weight-Based Symptom Correlation Approach to SQL Injection Attacks. In: Proc. of the 4th Latin-American Symposium on Dependable Computing (LADC 2009). IEEE CS Press, Los Alamitos (September 2009)Google Scholar
  16. 16.
    Scalp: Apache log analyzer, (last update September 2009)
  17. 17.
    JMeter: Java application designed to load test web applications,
  18. 18.
  19. 19.
    Oracle CEP, (last access December 2009)
  20. 20.
    The Borealis project, (last access February 2010)

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2010

Authors and Affiliations

  • Massimo Ficco
    • 1
  • Luigi Romano
    • 2
  1. 1.Dipartimento per le TecnologieUniversita’ degli Studi di Napoli “Parthenope”, Centro Direzionale di NapoliItaly
  2. 2.Laboratorio ITeMConsorzio Interuniversitario Nazionale per l’Informatica (CINI)NapoliItaly

Personalised recommendations