A comprehensive approach to intrusion detection alert correlation

IEEE Transactions on Dependable and Secure Computing

Volumn 1, Issue 3, 2004, Pages 146-168

  Valeur, Fredrik ^a   Vigna, Giovanni ^a   Kruegel, Christopher ^a   Kemmerer, Richard A ^a  

^a University of California   (United States)

Author keywords

Alert correlation; Alert reduction; Correlation data sets; Intrusion detection

Indexed keywords

ALARM SYSTEMS; CORRELATION METHODS; MATHEMATICAL MODELS; SENSORS; SPECIFICATIONS;

ALERT CORRELATION; ALERT REDUCTION; CORRELATION DATA SETS; INTRUSION DETECTION;

DETECTOR CIRCUITS;

EID: 21944457574     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2004.21     Document Type: Article

References (52)

1. D. Andersson, M. Fong, and A. Valdes, "Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis," Proc. Third Ann. IEEE Information Assurance Workshop, June 2002.
2. M. Arboi, The Nessus Attack Scripting Language Reference Guide, 2002. http://www.nessus.org/doc/nasl2_reference.pdf.
3. S.M. Bellovin, "Packets Found on an Internet," technical report, AT&T Bell Laboratories, May 1992.
4. S. Cheung, U. Lindqvist, and M. Fong, "Modeling Multistep Cyber Attacks for Scenario Recognition," Proc. DARPA Information Survivability Conf. and Exposition (DISCEX III), pp. 284-292, Apr. 2003.
5. F. Cuppens and A. Miege, "Alert Correlation in a Cooperative Intrusion Detection Framework," Proc. IEEE Symp. Security and Privacy, May 2002.
6. D. Curry and H. Debar, "Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition," draft-ietf-idwg-idmef-xml-10.txt+, Jan. 2003.
7. Common Vulnerabilities and Exposures, http://www.cve.mitre. org/, 2003.
8. H. Debar and A. Wespi, "Aggregation and Correlation of Intrusion-Detection Alerts," Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 85-103, Oct. 2001.
9. D.E. Denning, "An Intrusion Detection Model," IEEE Trans. Software Eng., vol. 13, no. 2, pp. 222-232, Feb. 1987.
10. N. Desai, "IDS Correlation of VA Data and IDS Alerts," http://www.securityfocus.com/infocus/1708, June 2003.
11. R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, "Addendum to Testing and Evaluating Computer Intrusion Detection Systems," Comm. ACM, vol. 42, no. 9, p. 15, Sept. 1999.
12. R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, "Testing and Evaluating Computer Intrusion Detection Systems," Comm. ACM, vol. 42, no. 7, pp. 53-61, July 1999.
13. S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An Attack Language for State-Based Intrusion Detection," J. Computer Security, vol. 10, nos. 1-2, pp. 71-104, 2002.
14. A.K. Ghosh, J. Wanken, and F. Charron, "Detecting Anomalous and Unknown Intrusions against Programs," Proc. Ann. Computer Security Application Conf. (ACSAC '98), pp. 259-267, Dec. 1998.
15. R. Gula, "Correlating IDS Alerts with Vulnerability Information," technical report, Tenable Network Security, Dec. 2002.
16. J. Haines, D.K. Ryder, L. Tinnel, and S. Taylor, "Validation of Sensor Alert Correlators," IEEE Security and Privacy Magazine, vol. 1, no. 1, pp. 46-56, Jan./Feb. 2003.
17. L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, "A Network Security Monitor," Proc. IEEE Symp. Research in Security and Privacy, pp. 296-304, May 1990.
18. K. Ilgun, "USTAT: A Real-Time Intrusion Detection System for UNIX," Proc. IEEE Symp. Research on Security and Privacy, May 1993.
19. ISS, Realsecure, http://www.iss.net/, 2004.
20. H.S. Javitz and A. Valdes, "The NIDES Statistical Component Description and Justification," technical report, SRI Int'l, Mar. 1994.
21. K. Kendall, "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems," master's thesis, MIT, June 1999.
22. G.H. Kim and E.H. Spafford, "The Design and Implementation of Tripwire: A File System Integrity Checker", technical report, Purdue Univ., Nov. 1993.
23. C. Ko, M. Ruschitzka, and K. Levitt, "Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-Based Approach," Proc. 1997 IEEE Symp. Security and Privacy, pp. 175-187, May 1997.
24. C. Kruegel and W. Robertson, "Alert Verification: Determining the Success of Intrusion Attempts," Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), July 2004.
25. C. Kruegel and G. Vigna, "Anomaly Detection of Web-Based Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 251-261, Oct. 2003.
26. MIT Lincoln Laboratory, Lincoln Lab Data Sets, http://www.ll.mit.edu/IST/ ideval/data/data_index.html, 2000.
27. R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, and M. Zissman, "Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation," Proc. DARPA Information Survivability Conf. and Exposition, vol. 2, Jan. 2000.
28. BugTraq Mailing List, Vulnerabilities by Bugtraq ID, http://www. securityfocus.com/bid/bugtraqid/, 2004.
29. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evalautions as Performed by Lincoln Laboratory," ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.
30. D.L. Mills Network Time Protocol (Version 3), RFC 1305, 1992.
31. B. Morin and H. Debar, "Correlation of Intrusion Symptoms: An Application of Chronicles," Proc. Int'l Symp. Recent Advances in Intrusion Detection, Sept. 2003.
32. B. Morin, L. Me, H. Debar, and M. Ducasse, "M2D2: A Formal Data Model for IDS Alert Correlation," Proc. Recent Advances in Intrusion Detection, pp. 115-137, 2002.
33. Nessus Vulnerabilty Scanner, http://www.nessus.org/, 2004.
34. P.G. Neumann and P.A. Porras, "Experience with EMERALD to Date," Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, pp. 73-80, Apr. 1999.
35. P. Ning, Y. Cui, and D.S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," Proc. Int'l Symp. the Recent Advances in Intrusion Detection, pp. 74-94, Oct. 2002.
36. P. Ning, Y. Cui, and D.S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," Proc. ACM Conf. Computer and Comm. Security, pp. 245-254, Nov. 2002.
37. P. Ning and D. Xu, "Learning Attack Strategies from Intrusion Alert," Proc. ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
38. V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Proc. Seventh USENIX Security Symp., Jan. 1998
39. P. Porras, M. Fong, and A. Valdes, "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation," Proc. Int'l Symp. the Recent Advances in Intrusion Detection, pp. 95-114, Oct. 2002.
40. UCSB Reliable Software Group, LinSTAT Webpage, http://www.cs.ucsb.edu/ rsg/STAT/software/linstat.html, 2003.
41. UCSB Reliable Software Group, collection of ntrusion detection data sets, http://www.cs.ucsb.edu/rsg/datasets/, 2004.
42. M. Roesch, "Snort - Lightweight Intrusion Detection for Networks," Proc. USENIX LISA '99 Conf., Nov. 1999
43. U. Shankar and V. Paxson, "Active Mapping: Resisting NIDS Evasion Without Altering Traffic," Proc. IEEE Symp. Security and Privacy, 2003.
44. Snort - The Open Source Network Intrusion Detection System, http://www.snort.org, 2004.
45. S.J. Templeton and K. Levitt, "A Requires/Provides Model for Computer Attacks," Proc. New Security Paradigms Workshop, pp. 31-38, Sept. 2000.
46. A. Valdes and K. Skinner, "Adaptive, Model-Based Monitoring for Cyber Attack Detection," Proc. RAID 2000 Conf., Oct. 2000.
47. A. Valdes and K. Skinner, "An Approach to Sensor Correlation," Proc. Int'l Symp. Recent Advances in Intrusion Detection, Oct. 2000.
48. A. Valdes and K. Skinner, "Probabilistic Alert Correlation," Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 54-68, Oct. 2001.
49. G. Vigna, "Teaching Hands-On Network Security: Testbeds and Live Exercises," J. Information Warfare, vol. 3, no. 2, pp. 8-25, 2003.
50. G. Vigna and R.A. Kemmerer, "NetSTAT: A Network-Based Intrusion Detection System," J. Computer Security, vol. 7, no. 1, pp. 37-71, 1999.
51. G. Vigna, F. Valeur, and R.A. Kemmerer, "Designing and Implementing a Family of Intrusion Detection Systems," Proc. European Software Eng. Conf. and ACM SIGSOFT Symp. the Foundations of Software Eng. (ESEC/FSE 2003), Sept. 2003.
52. C. Warrender, S. Forrest, and B.A. Pearlmutter, "Detecting Intrusions Using System Calls: Alternative Data Models," Proc. IEEE Symp. Security and Privacy, pp. 133-145, 1999.