Announcements

Center for Information Protection
UC Davis is planning to join the NSF I/UCRC Center for Information Protection. We are looking for companies to join our Industrial Advisory Board.
Find out more here!

Conferences and Workshops

My Links

Other Links

This Quarter’s Classes

Office Hours for This Quarter

Contacting Me

Modeling Network Intrusion Detection Alerts for Correlation


Citation

  • J. Zhou, M. Heckman, B. Reynolds, A. Carlson, and M. Bishop, “Modeling Network Intrusion Detection Alerts for Correlation,” ACM Transactions on Information and System Security 10(1) pp. 1–31 (Feb. 2007).

Paper

Abstract

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.

Copyright Notice

© ACM, 2007. This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Information and System Security 10(1), Feb. 2007, and is available at http://doi.acm.org/10.1145/1210263.1210267.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh
Last updated on Monday, July 20, 2009 at 10:33:17AM PDT