Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security

Volumn 7, Issue 2, 2004, Pages 274-318

  Ning, Peng ^a,b   Cui, Yun ^a,b   Reeves, Douglas S ^a,b   Xu, Dingbang ^a,b  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b North Carolina State University   (United States)

Author keywords

Alert correlation; Intrusion detection; Security management

Indexed keywords

ALERT CORRELATION; INTRUSION DETECTION; SECURITY MANAGEMENT;

COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE; DATA MINING; DATA PRIVACY; INTERACTIVE COMPUTER SYSTEMS;

SECURITY OF DATA;

EID: 3142632087     PISSN: 10949224     EISSN: None     Source Type: Journal    
DOI: 10.1145/996943.996947     Document Type: Review

References (40)

1. AGRAWAL, R., IMIELINSKI, T., AND SWAMI, A. N. 1993. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data. 207-216.
2. ANDERSON, J. P. 1980. Computer security threat monitoring and surveillance. Tech. rep., James P. Anderson Co., Fort Washington, PA.
3. AT&T RESEARCH LABS. Graph Viz - Open Source Graph Layout and Drawing Software. Available at http://www.research.att.com/sw/tools/graphviz/.
4. BACE, R. 2000. Intrusion Detection. Macmillan Technology Publishing.
5. CUI, Y. 2002. A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks. M.S. thesis, North Carolina State University. Available at http://www.lib.ncsu.edu/theses/available/etd-12052002- 193803/.
6. CUPPENS, F. 2001. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference.
7. CUPPENS, F. AND MIEGE, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy.
8. CUPPENS, F. AND ORTALO, R. 2000. LAMBDA: A language to model a database for detection of attacks. In Proceedings of the Recent Advances in Intrusion Detection (RAID 2000). 197-216.
9. CURRY, D. AND DEBAR, H. 2001. Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Internet Draft, draft-ietf-idwg-idmef-xml-03.txt.
10. DAIN, O. AND CUNNINGHAM, R. 2001. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. 1-13.
11. DEBAR, H. AND WESPI, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 2212. 85-103.
12. DEFCON. 2000. DEFCON Capture the Flag (CTF) contest. Available at http://www.defcon.org/html/defcon-8-post.html. Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/.
13. ECKMANN, S., VIGNA, G., AND KEMMERER, R. 2002. STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10, 1/2, 71-104.
14. GARDNER, R. AND HARLE, D. 1998. Pattern discovery and specification translation for alarm correlation. In Proceedings of Network Operations and Management Symposium (NOMS '98). 713-722.
15. GRUSCHKE, B. 1998. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management.
16. ILGUN, K., KEMMERER, R. A., AND PORRAS, P. A. 1995. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. Softw. Eng. 21, 3, 181-199.
17. INTERNET SECURITY SYSTEMS. RealSecure intrusion detection system. Available at http://www.iss.net.
18. JAVITS, H. AND VALDES, A. 1993. The NIDES Statistical Component: Description and Justification. Tech. rep., SRI International, Computer Science Laboratory.
19. JHA, S., SHEYNER, O., AND WING, J. 2002. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop.
20. JULISCH, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC). 12-21.
21. KUMAR, S. 1995. Classification and Detection of Computer Intrusions. Ph.D. thesis, Purdue University.
22. KUMAR, S. AND SPAFFORD, E. H. 1994. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference. 11-21.
23. LIN, J., WANG, X. S., AND JAJODIA, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, Rockport, MA. 190-201.
24. MANGANARIS, S., CHRISTENSEN, M., ZERKLE, D., AND HERMIZ, K. 2000. A data mining analysis of RTID alarms. Comput. Netw. 34, 571-577.
25. MIT LINCOLN LAB. 2000. 2000 DARPA Intrusion Detection Scenario-Specific Datasets. Available at http://www.11.mit.edu/IST/ideval/data/2000/ 2000_data_index.html.
26. MORIN, B., MÉ, L., DEBAR, H., AND DUCASSÉ, M. 2002. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 115-137.
27. MUKHERJEE, B., HEBERLEIN, L. T., AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Netw. 8, 3 (May), 26-41.
28. NING, P., CUI, Y., AND REEVES, D. S. 2002a. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland. 74-94.
29. NING, P., CUI, Y., AND REEVES, D. S. 2002b. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC. 245-254.
30. NING, P., JAJODIA, S., AND WANG, X. S. 2001. Abstraction-based intrusion detection in distributed environments. ACM Trans. Inf. Syst. Secur. 4, 4 (Nov.), 407-452.
31. PORRAS, P., FONG, M., AND VALUES, A. 2002. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 95-114.
32. RICCIULLI, L. AND SHACHAM, N. 1997. Modeling correlated alarms in network management systems. In Western Simulation Multiconference.
33. RITCHEY, R. AND AMMANN, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of IEEE Symposium on Security and Privacy. 156-165.
34. SHEYNER, O., HAINES, J., JHA, S., LIPPMANN, R., AND WING, J. 2002. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy.
35. STANIFORD, S., HOAGLAND, J., AND MCALERNEY, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 1/2, 105-136.
36. STANIFORD-CHEN, S., CHEUNG, S., CRAWFORD, R., DILGER, M., FRANK, J., HOAGLAND, J., LEVITT, K., WEE, C., YIP, R., AND ZERKLE, D. 1996. GrIDS - A graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, Vol. 1. 361-370.
37. TEMPLETON, S. AND LEVITT, K. 2000. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop. ACM Press, 31-38.
38. VALDES, A. AND SKINNER, K. 2001. Probabilistic alert correlation. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection (RAID 2001). 54-68.
39. VIGNA, G. AND KEMMERER, R. A. 1999. NetSTAT: A network-based intrusion detection system. J. Comput. Secur. 7, 1, 37-71.
40. XERCES2 JAVA PARSER. Available at http://xml.apache.org/xerces2-j/index. html.