Reasoning about complementary intrusion evidence

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2004, Pages 39-48

  Zhai, Yan ^a   Ning, Peng ^a   Iyer, Purush ^a   Reeves, Douglas S ^a  

^a North Carolina State University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BAYESIAN NETWORKS; EVENT-BASED EVIDENCE; INTRUSION ANALYSIS; INTRUSION DETECTION SYSTEMS (IDS);

COMPUTER CRIME; COMPUTER NETWORKS; CYBERNETICS; MATHEMATICAL MODELS; SCANNING; THEOREM PROVING;

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

EID: 21644435323     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSAC.2004.29     Document Type: Conference Paper

References (31)

1. checkrootkit. http://www.checkrootkit.org. Accessed on Feb. 4, 2004.
2. Javabayes. http://www-2.cs.cmu.edu/~javabayes/Home/. Accessed on Oct 10, 2003.
3. Nessus. http://www.nessus.org. Accessed on Feb. 4, 2004.
4. Samhain. http://la-samhna.de/samhain/. Accessed on April 4, 2004.
5. Tripwire. http://www.tripwire.com. Accessed on Feb. 4, 2004.
6. P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217-224, November 2002.
7. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
8. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
9. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proc. of Recent Advances in Intrusion Detection (RAID 2000), pages 197-216, September 2000.
10. O. Dain and R.K. Cunningham. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pages 231-235, June 2001.
11. O. Dain and R.K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1-13, November 2001.
12. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85 - 103, 2001.
13. S.T. Eckmann, G. Vigna, and R.A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1/2):71-104, 2002.
14. D. Farmer and W. Venema. SATAN: Security administrator tool for analyzing networks. http://142.3.223.54/~short/SECURITY/satan.html.
15. Fyodor. Nmap free security scanner. http://www.insecure.org/nmap, 2003.
16. F.V. Jensen. Bayesian Networks and Decision Graphs. Statistics for Engineering and Information Science. Springer, 2001.
17. K. Misch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pages 12-21, December 2001.
18. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.
19. MIT Lincoln Lab. 1999 DARPA intrusion detection scenario specific datasets. http://www.11.mit.edu/IST/ideval/data/1999/1999_data_index.html, 1999.
20. B. Morin, L. Me, H. Debar, and M. Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115-137, 2002.
21. P. Ning, Y. Cui, and D. S Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245-254, Washington, D.C., November 2002.
22. P. Ning, D. Xu, C. Healey, and R. St. Amant. Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04), pages 97-111, February 2004.
23. P.A. Porras, M.W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95-114, 2002.
24. M. Roesch. Snort - lightweight intrusion detection for networks. In Proceedings of the 1999 USENIX LISA conference, 1999.
25. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
26. S. Staniford, J.A. Hoagland, and J.M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2): 105-136, 2002.
27. Tauscan. http://www.agnitum.com/products/tauscan/.
28. S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31-38. ACM Press, September 2000.
29. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001.
30. X-scan. http://www.xfocus.org.
31. Y. Zhai, P. Ning, P. Iyer, and D.S. Reeves. Reasoning about complementary intrusion evidence. Technical Report TR-2004-25, Department of Computer Science, North Carolina State University, 2004.