Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
作者: Lingyu Wang , Anyi Liu , Sushil Jajodia
DOI: 10.1016/J.COMCOM.2006.04.001
关键词:
摘要: To defend against multi-step intrusions in high-speed networks, efficient algorithms are needed to correlate isolated alerts into attack scenarios. Existing correlation methods usually employ an in-memory index for fast searches among received alerts. With finite memory, the can only be built on a limited number of inside sliding window. Knowing this fact, attacker prevent two steps from both falling window by either passively delaying second step or actively injecting bogus between steps. In case, effort is defeated. paper, we first address above issue with novel queue graph (QG) approach. Instead searching all those that prepare new alert, search latest alert each type. The and other implicitly represented using temporal order Consequently, our approach arbitrarily far away, it has linear (in types) time complexity quadratic memory requirement. Then, extend basic QG unified method hypothesize missing predict future Finally, propose compact representation result correlation. Empirical results show fulfill tasks faster than IDS report Hence, promising solution administrators monitor progress thus take appropriate countermeasures timely manner.
core.ac.uk
acm.org
elsevier.com
sci-hub.se 参考文章(39)
Lingyu Wang, Anyi Liu, Sushil Jajodia, An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts Computer Security – ESORICS 2005. pp. 247- 266 ,(2005) , 10.1007/11555827_15
Yan Zhai, Peng Ning, P. Iyer, D.S. Reeves, Reasoning about complementary intrusion evidence annual computer security applications conference. pp. 39- 48 ,(2004) , 10.1109/CSAC.2004.29
Hervé Debar, Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts recent advances in intrusion detection. pp. 85- 103 ,(2001) , 10.1007/3-540-45474-8_6
Indrajit Ray, Nayot Poolsapassit, Using Attack Trees to Identify Malicious Attacks from Authorized Insiders Computer Security – ESORICS 2005. pp. 231- 246 ,(2005) , 10.1007/11555827_14
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances annual computer security applications conference. pp. 350- 359 ,(2004) , 10.1109/CSAC.2004.11
P. Ning, D. Xu, Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation North Carolina State University at Raleigh. ,(2002)
Dingbang Xu, Peng Ning, Alert correlation through triggering events and common resources annual computer security applications conference. pp. 360- 369 ,(2004) , 10.1109/CSAC.2004.5
Karl Levitt, Dan Zerkle, NetKuang: a multi-host configuration vulnerability checker usenix security symposium. pp. 20- 20 ,(1996)
Oliver Dain, Robert K. Cunningham, Fusing A Heterogeneous Alert Stream Into Scenarios Applications of Data Mining in Computer Security. pp. 103- 122 ,(2002) , 10.1007/978-1-4615-0953-0_5