An Empirical Approach to Modeling Uncertainty in Intrusion Analysis
作者: Xinming Ou , Siva Raj Rajagopalan , Sakthiyuvaraja Sakthivelmurugan
关键词:
摘要: Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, detection systems (IDS), and various types logs. Attackers are essentially invisible in cyber space tools can only observe symptoms or effects malicious activities. When mingled with similar from normal non-malicious activities they lead conclusions varying confidence high false positive/negative rates. This paper presents empirical approach problem uncertainty where inferred security implications low-level observations captured a simple logical language augmented certainty tags. We have designed automated reasoning process that enables us combine multiple sources data extract highly-confident attack traces numerous possible interpretations observations. developed our model empirically: starting point was true happened on campus network we studied capture essence human led about attack. then used Datalog-like encode Prolog carry out process. Our reached same as administrator question which machines were certainly compromised. automatically generated needed for handling Snort alerts natural-language descriptions rule repository, add-on analyze alerts. Keeping unchanged, applied two third-party sets one production network. results showed effective these well. believe such has potential codifying seemingly ad-hoc uncertain events, yield useful analysis.
computer.org
sci-hub.se 参考文章(54)
Judea Pearl, Moisés Goldszmidt, System-Z+: a formalism for reasoning with variable-strength defaults national conference on artificial intelligence. pp. 399- 404 ,(1991)
Robert P. Goldman, Steven A. Harp, Adventium Labs, Model-based Intrusion Assessment in Common Lisp ,(2009)
Vinod Yegneswaran, Guofei Gu, Wenke Lee, Martin Fong, Phillip Porras, BotHunter: detecting malware infection through IDS-driven dialog correlation usenix security symposium. pp. 12- ,(2007)
Yan Zhai, Peng Ning, P. Iyer, D.S. Reeves, Reasoning about complementary intrusion evidence annual computer security applications conference. pp. 39- 48 ,(2004) , 10.1109/CSAC.2004.29
Christopher Kruegel, William Robertson, Alert Verification Determining the Success of Intrusion Attempts DIMVA. pp. 25- 38 ,(2004) , 10.17877/DE290R-2013
S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances annual computer security applications conference. pp. 350- 359 ,(2004) , 10.1109/CSAC.2004.11
Stephen E. Smaha, Terrance L. Goan, James Brentano, Daniel M. Teal, Karl N. Levitt, Biswanath Mukherjee, Steven R. Snapp, L. Todd Heberlein, Gihan V. Dias, Tim Grance, Che-Lin Ho, Doug Mansur, DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype Internet besieged. pp. 211- 227 ,(1997)
Gaspar Modelo-Howard, Saurabh Bagchi, Guy Lebanon, Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling recent advances in intrusion detection. pp. 271- 290 ,(2008) , 10.1007/978-3-540-87403-4_15
F. Cuppens, Managing alerts in a multi-intrusion detection environment annual computer security applications conference. pp. 22- 31 ,(2001) , 10.1109/ACSAC.2001.991518
Sudhakar Govindavajhala, Xinming Ou, Andrew W. Appel, MulVAL: a logic-based network security analyzer usenix security symposium. pp. 8- 8 ,(2005)