Techniques and tools for analyzing intrusion alerts
作者: Peng Ning , Yun Cui , Douglas S. Reeves , Dingbang Xu
关键词:
摘要: Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where are intensive attacks, not only will actual mixed with false alerts, but the amount of also become unmanageable. As a result, it is difficult for human users response to understand take appropriate actions. This paper presents sequence techniques address this issue. The first technique constructs attack scenarios by correlating basis prerequisites consequences attacks. Intuitively, prerequisite an necessary condition successful, while consequence possible outcome attack. Based different types proposed method correlates (partially) matching some prior later ones. Moreover, handle large collections set interactive analysis utilities aimed at facilitating investigation sets alerts. development toolkit named TIAA, which provides system support analysis. finally reports experiments conducted validate 2000 DARPA scenario-specific datasets, data collected DEFCON 8 Capture Flag event.
core.ac.uk
acm.org
iitb.ac.in 参考文章(33)
Giovanni Vigna, Richard A. Kemmerer, NetSTAT: a network-based intrusion detection system Journal of Computer Security. ,vol. 7, pp. 37- 71 ,(1999) , 10.3233/JCS-1999-7103
Sandeep Kumar, Classification and detection of computer intrusions Purdue University. ,(1996)
Hervé Debar, Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts recent advances in intrusion detection. pp. 85- 103 ,(2001) , 10.1007/3-540-45474-8_6
Jia-Ling Lin, X.S. Wang, S. Jajodia, Abstraction-based misuse detection: high-level specifications and adaptable strategies ieee computer security foundations symposium. pp. 190- 201 ,(1998) , 10.1109/CSFW.1998.683169
K. Julisch, Mining alarm clusters to improve alarm handling efficiency annual computer security applications conference. pp. 12- 21 ,(2001) , 10.1109/ACSAC.2001.991517
Phillip A. Porras, Martin W. Fong, Alfonso Valdes, A mission-impact-based approach to INFOSEC alarm correlation recent advances in intrusion detection. pp. 95- 114 ,(2002) , 10.1007/3-540-36084-0_6
Oliver Dain, Robert K. Cunningham, Fusing A Heterogeneous Alert Stream Into Scenarios Applications of Data Mining in Computer Security. pp. 103- 122 ,(2002) , 10.1007/978-1-4615-0953-0_5
F. Cuppens, Managing alerts in a multi-intrusion detection environment annual computer security applications conference. pp. 22- 31 ,(2001) , 10.1109/ACSAC.2001.991518
Peng Ning, Yun Cui, Douglas S. Reeves, Analyzing intensive intrusion alerts via correlation recent advances in intrusion detection. pp. 74- 94 ,(2002) , 10.1007/3-540-36084-0_5