Intrusion detection and correlation: Challenges and solutions

Advances in Information Security

Volumn 14, Issue , 2005, Pages 1-115

  Kruegel, Christopher ^a   Valeur, Fredrik ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 34848927600     PISSN: 15682633     EISSN: None     Source Type: Book Series    
DOI: None     Document Type: Article

References (90)

1. AES (2001). Advanced Encryption Standard. National Institute of Standards and Technology, US Department of Commerce, FIPS 197.
2. Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. (2000). State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99TR-028, Carnagie Mellon, Software Engineering Institute.
3. Almgren, M. and Lindqvist, U. (2001). Application-Integrated Data Collection for Security Monitoring. In Lee, W., Mé, L., and Wespi, A., editors, Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, pages 22-36. Springer.
4. Asaka, M., Taguchi, A., and Goto, S. (1999). The Implementation of IDA: An Intrusion Detection Agent System. In 11th FIRST Conference on Computer Security Incident Handling and Response.
5. Axelsson, S. (1999). The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In ACM Conference on Computer and Communications Security, pages 1-7.
6. Bace, R. and Mell, P. (2001). Intrusion Detection Systems. Technical Report NIST SP 800-31, National Institute of Standards and Technology.
7. Balasubramaniyan, J. S., Garcia-Fernandez, J. O., Isacoff, D., Spafford, E., and Zamboni, D. (1998). An Architecture for Intrusion Detection using Autonomous Agents. In 14th Annual Computer Security Applications Conference (ACSAC).
8. Balepin, I., Maltsev, S., Rowe, J., and Levitt, K. (2004). Using Specification-Based Intrusion Detection for Automated Response. In Recent Advances in Intrusion Detection (RAID).
9. Bellovin, S. M. (1993). Packets Found on an Internet. Computer Communications Review, 23(3):26-31.
10. Bellovin, S. M. (2001). Computer Security-An End State? Communications of the ACM, 44(3):131-132.
11. Bellovin, Steven M. (1992). Packets found on an internet. Technical report, AT&T Bell Laboratories.
12. Bugtraq (2004). Security mailing list. http://www.securityfocus.com.
13. Carzaniga, A., Rosenblum, D., and Wolf, A. (2000). Achieving scalability and expressiveness in an internet-scale event notification service. In ACM Symposium on Principles of Distributed Computing, pages 219-227, Portland OR, USA.
14. CERT (2003). CERT Statistics 2003. http://www.cert.org/stats/cert_stats.html.
15. Cheswick, W. and Bellovin, S. (1994). Firewalls and Internet Security. Addison-Wesley, Reading, Massachusetts, USA.
16. Cohen, F. (1999). Simulating Cyber Attacks, Defenses, and Consequences. http://all.net/journal/ntb/simulate/simulate.html.
17. Coulouris, G., Dollimore, J., and Kindberg, T. (1996). Distributed Systems-Concepts and Design. Addison-Wesley, Harlow, England, 2nd edition.
18. Crosbie, M. and Spafford, E. (1995). Defending a Computer System using Autonomous Agents. In 18th National Information Systems Security Conference.
19. Cuppens, F. and Miege, A. (2002). Alert Correlation in a Cooperative Intrusion Detection Framework. In IEEE Symposium on Security and Privacy, Oakland, CA.
20. Curry, D. and Debar, H. (2003). Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition, draft-ietf-idwg-idmef-xml-10. txt.
21. CVE(2004). Common Vulnerabilities and Exposures, http://www.cve.mitre.org/.
22. Dacier, M., Debar, H., and Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks, 31 (8):805-822.
23. de Queiroz, J. D., da Costa Carmo, L. F. R., and Pirmez, L. (1999). Micael: An Autonomous Mobile Agent System to Protect New Generation Networked Applications. In 2nd Annual Workshop on Recent Advances in Intrusion Detection.
24. DES (1977). Data Encryption Standard. National Bureau of Standards, US Department of Commerce, FIPS 46-3.
25. Diffie, W. and Hellman, M. (1976). New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22(6):644-654.
26. Eckmann, ST., Vigna, G., and Kemmerer, R.A. (2002). STATL: An Attack Language for Statebased Intrusion Detection. Journal of Computer Security, 10(1/2):71-104.
27. Flegel, U. (2002). Pseudonymizing Unix Log Files. In Infrastructure Security Conference (InfraSec).
28. Floyd, S. and Paxson, V. (2001). Difficulties in Simulating the Internet. IEEE/ACM Transactions on Networking, 9(4):392-403.
29. Ghosh, A. K., Wanken, J., and Charron, F. (1998). Detecting Anomalous and Unknown Intrusions Against Programs. In Akers, D., editor, Annual Computer Security Applications Conference (ACSAC), pages 259-267. IEEE Computer Society.
30. Haines, J., Ryder, D.K., Tinnel, L., and Taylor, S. (2003). Validation of Sensor Alert Correlators. IEEE Security & Privacy Magazine, 1(1):46-56.
31. Handley, M., Paxson, V., and Kreibich, C. (2001). Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In 10th USENIX Security Symposium.
32. Helman, P. and Liepins, G. (1993). Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering, 19(9):886-901.
33. Hofmeyr, S. A., Forrest, S., and Somayaji, A. (1998). Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 6(3):151-180.
34. Ilgun, K., Kemmerer, R. A., and Porras, P. A. (1995). State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3).
35. IPSec (2004). IP Sec. Protocol, http://www.ietf.org/html.charters/ipsec-charter. html.
36. Kahn, C., Porras, P. A., Staniford-Chen, S., and Tung, B. (1998). A Common Intrusion Detection Framework. http://gost.isi.edu/cidf/papers/cidf-jcs.ps.
37. KDDCup (1999). The Third International Knowledge Discovery and Data Mining Tools Competition. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
38. Kemmerer, R. A. and Vigna, G. (2002). Intrusion Detection: A Brief History and Overview. IEEE Computer, 35(4):27-30.
39. Ko, C., Ruschitzka, M., and Levitt, K. (1997). Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach. In IEEE Symposium on Security and Privacy, pages 175-187.
40. Kruegel, C. and Toth, T. (2001). An efficient, IP based Solution to the 'Logical Timestamp Wrapping' Problem. In 6th International Conference on Telecommunication.
41. Kruegel, C., Toth, T., and Kirda, E. (2001). Sparta-A Security Policy Reinforcement Tool for Large Networks. In IFIP Conference on Advances in Network and Distributed Systems Security. Kluwer Academic Publishers.
42. Kruegel, C., Valeur, F., Vigna, G., and Kemmerer, R. A. (2002). Stateful Intrusion Detection for High-Speed Networks. In IEEE Symposium on Security and Privacy, pages 285-294.
43. Kumar, S. and Spafford, E. H. (1994). A Pattern Matching Model for Misuse Intrusion Detection. In Proceedings of the 17th National Computer Security Conference, pages 11-21.
44. Lamport, L. (1978). Time, Clocks and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558-65.
45. Landwehr, C. E., Bull, A. R., McDermott, J. P., and Choi, W. S. (1994). A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys (CSUR), 26(3):211-254.
46. LIDS (2004). Linux Intrusion Detection System, http://www.lids.org/.
47. Lindqvist, U. and Porras, P. A. (1999). Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In IEEE Symposium on Security and Privacy, pages 146-161, Oakland, California. IEEE Computer Society Press, Los Alamitos, California.
48. Lonvick, C. (2001). The BSD syslog Protocol. RFC 3164.
49. Loscocco, P. and Smalley, S. (2001). Integrating Flexible Support for Security Policies into the Linux Operating System. In Freenix Track of Usenix Annual Technical Conference.
50. Lunt, T. F. (1993). Detecting Intruders in Computer Systems. In 5th Canadian Conference on Auditing and Computer Technology.
51. Malan, G. R., Watson, D., Jahanian, F., and Howell, P. (2000). Transport and Application Protocol Scrubbing. In INFOCOM(3), pages 1381-1390.
52. McHugh, J. (2000). Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security (TISSEC), 3(4):262-294.
53. MIT Lincoln Laboratory (2000). DARPA Intrusion Detection Evaluation. http://www.ll. mit.edu/IST/ideval/.
54. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. (2003). The Spread of the Sapphire/Slammmer Worm. http://www.cs.berkeley.edu/-nweaver/sapphire/.
55. Morin, B., Me, L., Debar, H., and Ducasse, M. (2002). M2D2: A Formal Data Model for IDS Alert Correlation. In Recent Advances in Intrusion Detection (RAID), pages 115-137, Zurich, Switzerland.
56. Mutz, D., Vigna, G., and Kemmerer, R. A. (2003). An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems. In Annual Computer Security Applications Conference (ACSAC), Las Vegas, Nevada.
57. Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to Date. In First USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73-80, Santa Clara, California.
58. Ning, P., Cui, Y., and Reeves, D.S. (2002). Constructing Attack Scenarios through Correlation of Intrusion Alerts. In ACM Conference on Computer and Communications Security (CCS), pages 245-254, Washington, D.C.
59. Ning, P. and Xu, D. (2003). Learning Attack Strategies from Intrusion Alert. In ACM Conference on Computer and Communications Security (CCS), Washington, DC.
60. Northcutt, S. (1999). Network Intrusion Detection-An Analyst's handbook. New Riders, Indianapolis, USA.
61. Pang, R. and Paxson, V. (2003). A High-level Programming Environment for Packet Trace Anonymization and Transformation. In ACM SIGCOMM.
62. Patton, S., Yurcik, W., and Doss, D. (2001). An Achilles Heel in Signature-Based IDS: Squealing False Positives in SNORT. http://www.raid-symposium.org/raid2001/program. html.
63. Porras, P., Schnackenberg, D., Staniford-Chen, S., Stillman, M., and Wu, F. (1998). The Common Intrusion Detection Framework Architecture. http://www.isi.edu/gost/cidf/drafts/architecture.txt.
64. Porras, P.A. and Neumann, P.G. (1997). EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In National Information Systems Security Conference.
65. Postel, J. (1981). Internet Protocol. RFC 791.
66. Ptacek, T. H. and Newsham, T. N. (1998). Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc.
67. Ranum, M. (2000). Intrusion Detection and Network Forensics. In M1 Tutorial-USENIX Security 2000, Denver, Colorado, USA.
68. Rescorla, E. (2003). Security holes. Who cares? In Paxson, V., editor, USENIX Security Symposium, pages 75-90. USENIX.
69. Rivest, R. L., Shamir, A., and Adleman, L. A. (1978). A Method for obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2): 120-126.
70. Roesch, M. (1999). Snort-Lightweight Intrusion Detection for Networks. In Parter, D., editor, Large Installation System Administraton (LISA), pages 229-238. USENIX.
71. Schneier, Bruce (1996). Applied Cryptography. John Wiley & Sons, Inc., New York, USA, 2nd edition.
72. Shankar, U. and Paxson, V. (2003). Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In IEEE Symposium on Security and Privacy.
73. Snapp, S., Brentano, J., Dias, G. V., Goan, T. L., Heberlein, L. T., Ho, C., Levitt, K. N., Mukherjee, B., Smaha, S. E., Grance, T., Teal, D. M., and Mansur, D. (1991). DIDS (Distributed Intrusion Detection System)-Motivation, Architecture and an early Prototype. In 14th National Security Conference, pages 167-176.
74. Snot (2004). A packet generator. http://www.stolenshoes.net/sniph/.
75. Stallings, William (2000). Network Security Essentials-Applications and Standards. Prentice Hall, Englewood Cliffs, New Jersey, USA.
76. Staniford, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., and Zerkle, D. (1996). GrIDS-A Graph Based Intrusion Detection System For Large Networks. In 20th National Information Systems Security Conference, volume 1, pages 361-370.
77. Staniford, S., Hoagland, J. A., and McAlerney, J. M. (2000). Practical Automated Detection of Stealthy Portscans. In ACM Computer and Communications Security IDS Workshop.
78. Stick (2004). IDS stress tool, http://www.eurocompton.net/stick/projects8.html.
79. Sun Microsystems, Inc. (1991). Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043.
80. Tan, K. M. C., Killourhy, K. S., and Maxion, R. A. (2002). Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In Wespi, A., Vigna, G., and Deri, L., editors, Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, pages 54-73. Springer.
81. Tan, K. M. C. and Maxion, R. A. (2002). Why 6? Defining the Operational Limits of Slide, an Anomaly-Based Intrusion Detector. In IEEE Symposium on Security and Privacy, pages 188-201.
82. Tanenbaum, Andrew S. and van Steen, Maarten (2002). Distributed Systems-Principles and Paradigms. Prentice Hall, Englewood Cliffs, New Jersey, USA.
83. tcpdump (2002). Tcpdump and Libpcap Documentation, http://www.tcpdump.org/.
84. Toth, T. and Kruegel, C. (2002). Evaluating the Impact of Automated Intrusion Response Mechanisms. In 18th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society Press.
85. Undercoffer, J., Joshi, A., and Pinkston, J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection. In 6th International Symposium on Recent Advances in Intrusion Detection.
86. U.S. Department of Defense (1985). Department of Defense Trusted Computer System Evaluation Criteria.
87. Wagner, D. and Soto, P. (2002). Mimicry Attacks on Host-Based Intrusion Detection Systems. In ACM Conference on Computer and Communications Security (CCS).
88. White, Gregory B., Fisch, Eric A., and Pooch, Udo W. (1996). Cooperating Security Managers: A peer-based intrusion detection system. IEEE Network, pages 20-23.
89. x509 (2002). Public-Key Infrastructure X.509. The Internet Engineering Task Force.
90. Xu, J., Fan, J., Ammar, M., and Moon, S. (2002). On the design and performance of prefix preserving IP trace traffic anonymization. In ACM SIGCOMM Internet Measurement Workshop.