Skip to main content
SpringerLink
Log in

A Mission-Impact-Based Approach to INFOSEC Alarm Correlation

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Included in the following conference series:

Abstract

We describe a mission-impact-based approach to the analysis of security alerts produced by spatially distributed heterogeneous information security (INFOSEC) devices, such as firewalls, intrusion detection systems, authentication services, and antivirus software. The intent of this work is to deliver an automated capability to reduce the time and cost of managing multiple INFOSEC devices through a strategy of topology analysis, alert prioritization, and common attribute-based alert aggregation. Our efforts to date have led to the development of a prototype system called the EMERALD Mission Impact Intrusion Report Correlation System, or M-Correlator. M-Correlator is intended to provide analysts (at all experience levels) a powerful capability to automatically fuse together and isolate those INFOSEC alerts that represent the greatest threat to the health and security of their networks.

Supported by DARPA through Air Force Research Laboratory, contract F30602-99-C-0187.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. D’ Ambrosio, B, M. Takikawa, D. Upper, J. Fitzgerald, and S. Mahoney, “Security Situation Assessment and Response Evaluation,” Proceedings (DISCEX II) DARPA Information Survivability Conference and Exposition, Anaheim, CA, Vol. I, June 2001.

    Google Scholar 

  2. D.W. Baker, S.M. Christey, W.H. Hill, and D.E. Mann, “The Development of a Common Enumeration of Vulnerabilities and Exposures,” Proceedings of the Second International Workshop on Recent Advances in Intrusion Detection (RAID), September 1999.

    Google Scholar 

  3. Bugtraq. Security Focus Online. http://online.securityfocus.com/archive/1

  4. CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/

  5. F. Cuppens, “Managing Alerts in a Multi-Intrusion Detection Environment,” Proceedings 17th Computer Security Applications Conference, New Orleans, LA, December 2001.

    Google Scholar 

  6. Common Vulnerabilities and Exposures. The MITRE Corporation. http://cve.mitre.org/

  7. H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001.

    Google Scholar 

  8. G. Vigna, R.A. Kemmerer, and P. Blix, “Designing a Web of Highly-Configurable Intrusion Detection Sensors,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001. C.W. Geib and R.P Goldman, “Probabilistic Plan Recognition for Hostile Agents,” Proceedings of FLAIRS 2001 Special Session on Uncertainty-May 2001.

    Google Scholar 

  9. C. Kahn, P.A. Porras, S. Staniford-Chen, and B. Tung, “A Common Intrusion Detection Framework,” http://www.gidos.org.

  10. K. Kendall, “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” Master’s Thesis, Massachusetts Institute of Technology, June 1999.

    Google Scholar 

  11. W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran, and S.J. Stolfo, “A Data Mining and CIDF-Based Approach for Detecting Novel and Distributed Intrusions”, Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.

    Google Scholar 

  12. D. Levin, Y. Tenney, and H. Henri, “Issues in Human Interaction for Cyber Command and Control,” Proceedings (DISCEX II) DARPA Information Survivability Conference and Exposition, Anaheim, CA, Vol. I, June 2001.

    Google Scholar 

  13. U. Lindqvist and P.A. Porras, “eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris,” Proceedings 17th Computer Security Applications Conference, New Orleans, LA, December 2001.

    Google Scholar 

  14. U. Lindqvist, D. Moran, P.A. Porras, and M. Tyson, “Designing IDLE: The Intrusion Detection Library Enterprise,” Proceedings 1998 International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium, September 1998.

    Google Scholar 

  15. NMAP Network Mapping tool. http://www.insecure.org/nmap/

  16. Pearl, J. “Probabilistic Reasoning in Intelligent Systems,” Morgan-Kaufmann (1988).

    Google Scholar 

  17. L. Perrochon, E. Jang, and D.C. Luckham.: Enlisting Event Patterns for Cyber Battlefield Awareness. DARPA Information Survivability Conference & Exposition (DISCEX’00), Hilton Head, South Carolina, January 2000.

    Google Scholar 

  18. P.A. Porras and P.G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,” Proceedings National Information Systems Security Conference, NSA/NIST, Baltimore, MD, October 1997.

    Google Scholar 

  19. M. Roesch, “Lightweight Intrusion Detection for Networks,” Proceedings of the 13th Systems Adminstration Conference — LISA 1999, November, 1999.

    Google Scholar 

  20. Valdes and K. Skinner, “Adaptive, Model-based Monitoring for Cyber Attack Detection”, Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.

    Google Scholar 

  21. Valdes and K. Skinner, “Probabilistic Alert Correlation,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SRI International, 333 Ravenswood Avenue, Menlo Park, CA, 94025-3493

    Phillip A. Porras, Martin W. Fong & Alfonso Valdes

Authors
  1. Phillip A. Porras
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin W. Fong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alfonso Valdes
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstraße 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

  2. Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Giovanni Vigna

  3. Centro Serra, University of Pisa, Lungarno Pacinotti 43, 56100, Pisa, Italy

    Luca Deri

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Porras, P.A., Fong, M.W., Valdes, A. (2002). A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_6

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_6

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation