Alert Correlation for Extracting Attack Strategies
作者: Ali A. Ghorbani , Bin Zhu
DOI:
关键词:
摘要: Alert correlation is an important technique for managing large the volume of intrusion alerts that are raised by heterogenous Intrusion Detection Systems (IDSs). The recent trend research in this area towards extracting attack strategies from raw alerts. It generally believed pure detection no longer can satisfy security needs organizations. response and prevention now becoming crucially protecting network minimizing damage. Knowing real situation a used attackers enables administrators to launches appropriate stop attacks prevent them escalating. This also primary goal using alert technique. However, most current techniques only focus on clustering inter-connected into different groups without further analyzing attackers. Some have been proposed years, but they normally require defining larger number rules. paper focuses developing new help automatically extract alerts, specific prior knowledge about these approach based two neural approaches, namely, Multilayer Perceptron (MLP) Support Vector Machine (SVM). probabilistic output methods determine with which previous should be correlated. suggests causal relationship helpful constructing scenarios. One distinguishing feature Correlation Matrix (ACM) store strengthes any types ACM updated training process, information (correlation strength) then high level strategies.
参考文章(15)
Peng Ning, Yun Cui, An Intrusion Alert Correlator Based on Prerequisites of Intrusions North Carolina State University at Raleigh. ,(2002)
Oliver Dain, Robert K. Cunningham, Fusing A Heterogeneous Alert Stream Into Scenarios Applications of Data Mining in Computer Security. pp. 103- 122 ,(2002) , 10.1007/978-1-4615-0953-0_5
Frédéric Cuppens, Rodolphe Ortalo, LAMBDA: A Language to Model a Database for Detection of Attacks recent advances in intrusion detection. pp. 197- 216 ,(2000) , 10.1007/3-540-39945-3_13
John C. Platt, Probabilistic Outputs for Support vector Machines and Comparisons to Regularized Likelihood Methods Advances in Large Margin Classifiers. ,(1999)
Steven T. Eckmann, Giovanni Vigna, Richard A. Kemmerer, STATL: an attack language for state-based intrusion detection Journal of Computer Security. ,vol. 10, pp. 71- 103 ,(2002) , 10.3233/JCS-2002-101-204
Steven J. Templeton, Karl Levitt, A requires/provides model for computer attacks new security paradigms workshop. pp. 31- 38 ,(2001) , 10.1145/366173.366187
Bernhard E. Boser, Isabelle M. Guyon, Vladimir N. Vapnik, A training algorithm for optimal margin classifiers conference on learning theory. pp. 144- 152 ,(1992) , 10.1145/130385.130401
Alfonso Valdes, Keith Skinner, Probabilistic Alert Correlation recent advances in intrusion detection. pp. 54- 68 ,(2001) , 10.1007/3-540-45474-8_4
Peng Ning, Yun Cui, Douglas S. Reeves, Dingbang Xu, Techniques and tools for analyzing intrusion alerts ACM Transactions on Information and System Security. ,vol. 7, pp. 274- 318 ,(2004) , 10.1145/996943.996947
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs ieee symposium on security and privacy. pp. 273- 284 ,(2002) , 10.1109/SECPRI.2002.1004377