Abstract
Generally, the intruder must perform several actions, organized in an intrusion scenario, to achieve his or her malicious objective. Actions are represented by their pre and post conditions, which are a set of logical predicates or negations of predicates. Pre conditions of an action correspond to conditions the system’s state must satisfy to perform the action. Post conditions correspond to the effects of executing the action on the system’s state.
When an intruder begins his intrusion, we can deduce, from the alerts generated by IDSs, several possible scenarios, by correlating attacks, that leads to multiple intrusion objectives. However, with no further analysis, we are not able to decide which are the most plausible ones among those possible scenarios. We propose in this paper to define an order over the possible scenarios by weighting the correlation relations between successive attacks composing the scenarios. These weights reflect to what level executing some actions are necessary to execute some action B. We will see that to be satisfactory, the comparison operator between two scenarios must satisfy some properties.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cuppens, F., Miége, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: IEEE Symposium on Security and Privacy, Oakland, USA (2002)
Cuppens, F., Autrel, F., Miége, A., Benferhat, S.: Recognizing malicious intention in an intrusion detection process. In: Second International Conference on Hybrid Intelligent Systems (HIS’2002), Santiago, Chile (October 2002)
Geib, C., Goldman, R.: Plan Recognition in Intrusion Detection Systems. In: DARPA Information Survivability Conference and Exposition (DISCEX) (June 2001)
Geib, C., Goldman, R.: Probabilistic Plan Recognition for Hostile Agents. In: Florida AI Research Symposium (FLAIR), Key-West, USA (2001)
Moulin, H.: Axioms of Cooperative Decision Making. Cambridge University Press, Cambridge (1988)
Debar, H., Wespi, A.: The Intrusion Detection Console Correlation Mechanism. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 85. Springer, Heidelberg (2001)
Mè, L., Marrakchi, Z., Michel, C., Debar, H., Cuppens, F.: La detection d’intrusion: les outils doivent coopérer. REE journal
Huang, M.-Y.: A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. In: Proceedings of the First Internationnal Workshop on the Recent Advances in Intrusion Detection (RAID 1998), Louvain-La-Neuve, Belgium (1998)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Benferhat, S., Autrel, F., Cuppens, F. (2003). Enhanced Correlation in an Intrusion Detection Process. In: Gorodetsky, V., Popyack, L., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2003. Lecture Notes in Computer Science, vol 2776. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45215-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-45215-7_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40797-3
Online ISBN: 978-3-540-45215-7
eBook Packages: Springer Book Archive