Abstract
At present, alert correlation techniques do not make full use of the information that is available. We propose a data model for IDS alert correlation called M2D2. It supplies four information types: information related to the characteristics of the monitored information system, information about the vulnerabilities, information about the security tools used for the monitoring, and information about the events observed. M2D2 is formally defined. As far as we know, no other formal model includes the vulnerability and alert parts of M2D2. Three examples of correlations are given. They are rigorously specified using the formal definition of M2D2. As opposed to already published correlation methods, these examples use more than the events generated by security tools; they make use of many concepts formalized in M2D2.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
G. Jakobson and M. D. Weissman. Alarm correlation. IEEE Network Magazine, pages 52–60, 1993.
J. McHugh. Intrusion and intrusion detection. International Journal of Information Security, July 2001.
Icat vulnerabilities database. http://icat.nist.gov/icat.cfm.
G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection approach. In Proceedings of the 14th Annual Computer Security Application Conference, December 1998.
G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, February 1999.
R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. In Proceedings of the DARPA Information Survivability Conference and Exposition, June 2001.
G. Vigna. A topological characterization of tcp/ip security. Technical Report TR-96.156, Politecnico di Milano, 1996.
J.-R. Abrial. The B Book: Assigning programs to meanings. Cambridge University Press, 1996.
R. Shirey. Internet security glossary. RFC2828, 2000.
J. Arlat, J.P. Blanquart, A. Costes, Y. Crouzet, Y. Deswarte, J.C. Fabre, H. Guillermain, M. Kaaniche, K. Kanoun, J.C. Laprie, C. Mazet, D. Powell, C. Rabejac, and P. Thévenod. Guide de la sureté de fonctionnement. Cepadues editions, 1995.
D. E. Mann and S. M. Christey. Towards a common enumeration of vulnerabilities. In Proceedings of the 2nd Workshop on Research with Security Vulnerability Databases, January 1999.
Dave Curry and Hervé Debar. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet Draft (work in progress), December 2001. http://search.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt.
Hervé Debar and Andreas Wespi. Aggregation and correlation of intrusion-detection alerts. In Wenke Lee, Ludovic Mé, and Andreas Wespi, editors, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), number 2212 in Lecture Notes in Computer Science, pages 85–103, Davis, CA, USA, October 2001. Springer.
J. D. Howard and T. A. Longstaff. A common language for computer security incidents. CERT-SAND98-8667, http://www.cert.org/research/taxonomy_988667.pdf, 1998.
F. Cuppens. Managing alerts in multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC’01), 2001.
F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proccedings of the IEEE Symposium on Security and Privacy, 2002.
Frédéric Cuppens and Rodolphe Ortalo. Lambda: A language to model a database for detection of attacks. In H. Debar, L. Mé, and S. F. Wu, editors, Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), number 1907 in LNCS, pages 197–216, October 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Morin, B., Mé, L., Debar, H., Ducassé, M. (2002). M2D2: A Formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_7
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive