Abstracting and correlating heterogeneous events to detect complex scenarios
作者: Sorot Panichprecha
DOI:
关键词:
摘要: The research presented in this thesis addresses inherent problems signaturebased intrusion detection systems (IDSs) operating heterogeneous environments. proposes a solution to address the difficulties associated with multistep attack scenario specification and for such has focused on two distinct problems: representation of events derived from sources multi-step detection. first part investigates application an event abstraction model logs collected environment. comprises hierarchy different log as system audit data, logs, captured network traffic, alerts. Unlike existing models where low-level information may be discarded during process, work preserves all well providing high-level form abstract events. was designed independently any particular IDS thus used by IDS, forensic tools, or monitoring tools. second use unification Multi-step scenarios are hard specify detect they often involve correlation multiple which affected time uncertainty. algorithm provides simple straightforward matching mechanism using variable instantiation variables represent defined model. third looks into Clock synchronisation is crucial detecting hosts. Issues involving uncertainty have been largely neglected research. introduces techniques addressing issues: clock skew compensation drift modelling linear regression. An off-line prototype attacks implemented. modules: implementation architecture (AESA) module. module implements our signature language developed based Python programming syntax unification-based engine. evaluated publicly available dataset real traffic synthetic dataset. features public fact that it contains hosts drift. These allow us demonstrate advantages contributions All instances correctly identified even though there exists significant Future would develop refined suitable processing streams enable on-line In terms uncertainty, future mechanisms allows automatic identification correction. immediate framework processes can
参考文章(64)
Aaron Schwartzbard, Michael Schatz, Anup K. Ghosh, Learning program behavior profiles for intrusion detection ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1. pp. 6- 6 ,(1999)
Robert A. Martin, Steve Christey, Vulnerability Type Distributions in CVE ,(2007)
Kenneth L. Ingham, Hajime Inoue, Comparing anomaly detection techniques for HTTP recent advances in intrusion detection. pp. 42- 62 ,(2007) , 10.1007/978-3-540-74320-0_3
Steven T. Eckmann, Giovanni Vigna, Richard A. Kemmerer, STATL: an attack language for state-based intrusion detection Journal of Computer Security. ,vol. 10, pp. 71- 103 ,(2002) , 10.3233/JCS-2002-101-204
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Benjamin Morin, Ludovic Mé, Hervé Debar, Mireille Ducassé, M2D2: a formal data model for IDS alert correlation recent advances in intrusion detection. pp. 115- 137 ,(2002) , 10.1007/3-540-36084-0_7
Matthias Vallentin, Robin Sommer, Jason Lee, Craig Leres, Vern Paxson, Brian Tierney, The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware recent advances in intrusion detection. pp. 107- 126 ,(2007) , 10.1007/978-3-540-74320-0_6
Hervé Debar, Benjamin Morin, Evaluation of the diagnostic capabilities of commercial intrusion detection systems recent advances in intrusion detection. pp. 177- 198 ,(2002) , 10.1007/3-540-36084-0_10
R.P. Lippmann, D.J. Fried, I. Graf, J.W. Haines, K.R. Kendall, D. McClung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham, M.A. Zissman, Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation darpa information survivability conference and exposition. ,vol. 2, pp. 12- 26 ,(2000) , 10.1109/DISCEX.2000.821506
John McHugh, Testing Intrusion detection systems ACM Transactions on Information and System Security. ,vol. 3, pp. 262- 294 ,(2000) , 10.1145/382912.382923