Statistical Causality Analysis of Infosec Alert Data
作者: Xinzhou Qin , Wenke Lee
DOI: 10.1007/978-3-540-45248-5_5
关键词:
摘要: With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antiviras software and authentication services, problem alert analysis has become very important. The large amount alerts can overwhelm administrators prevent them from adequately understanding analyzing state network, initiating appropriate response in a timely fashion. Recently, several approaches for correlation attack scenario have been proposed. However, these all limited capabilities detecting new scenarios. In this paper, we study with an emphasis on analysis. our framework, use clustering techniques to process low-level data into high-level aggregated alerts, conduct causal based statistical tests discover relationships among attacks. Our causality approach complements other that hard-coded prior knowledge pattern matching. We perform series experiments validate method using DARPA’s Grand Challenge Problem (GCP) datasets, 2000 DARPA Intrusion Detection Scenario DEF CON 9 datasets. results show patterns when attacks are statistically correlated.
springer.com
core.ac.uk
springerlink.com参考文章(22)
João B. D. Cabrera, Raman K. Mehra, Extracting Precursor Rules from Time SeriesA Classical Statistical Viewpoint. siam international conference on data mining. pp. 213- 228 ,(2002)
Hervé Debar, Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts recent advances in intrusion detection. pp. 85- 103 ,(2001) , 10.1007/3-540-45474-8_6
Y. A. Nygate, Event correlation using rule and object based techniques integrated network management. pp. 278- 289 ,(1995) , 10.1007/978-0-387-34890-2_25
S. Kliger, S. Yemini, Y. Yemini, D. Ohsie, S. Stolfo, A coding approach to event correlation integrated network management. pp. 266- 277 ,(1995) , 10.1007/978-0-387-34890-2_24
Anthony J. Hayter, Probability and statistics for engineers and scientists ,(1996)
Phillip A. Porras, Martin W. Fong, Alfonso Valdes, A mission-impact-based approach to INFOSEC alarm correlation recent advances in intrusion detection. pp. 95- 114 ,(2002) , 10.1007/3-540-36084-0_6
Peng Ning, Yun Cui, Douglas S. Reeves, Analyzing intensive intrusion alerts via correlation recent advances in intrusion detection. pp. 74- 94 ,(2002) , 10.1007/3-540-36084-0_5
João B. D. Cabrera, Lundy Lewis, Xinzhou Qin, Wenke Lee, Raman K. Mehra, Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management Journal of Network and Systems Management. ,vol. 10, pp. 225- 254 ,(2002) , 10.1023/A:1015910917349
Klaus Julisch, Marc Dacier, Mining intrusion detection alarms for actionable knowledge Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining - KDD '02. pp. 366- 375 ,(2002) , 10.1145/775047.775101
J. Haines, D. Kewley Ryder, L. Tinnel, S. Taylor, Validation of sensor alert correlators ieee symposium on security and privacy. ,vol. 1, pp. 46- 56 ,(2003) , 10.1109/MSECP.2003.1176995