A logic-based model to support alert correlation in intrusion detection

Information Fusion

Volumn 10, Issue 4, 2009, Pages 285-299

  Morin, Benjamin ^a   Mé, Ludovic ^a   Debar, Hervé ^b   Ducassé, Mireille ^c  

^a SUPELEC Campus de Rennes   (France)

^b ORANGE LABS   (France)

^c CAMPUS DE BEAULIEU   (France)

Author keywords

Alert correlation; Data model; Intrusion detection

Indexed keywords

ALERT CORRELATION; DATA MODEL; DATA MODELS; INTRUSION DETECTION SYSTEMS; LARGE NETWORKS; LOGIC-BASED MODELS; SECURITY INCIDENT; SECURITY OPERATORS; SHARED DATA;

COMPUTER CRIME; CORRELATION METHODS; MODELS;

INTRUSION DETECTION;

EID: 67349242974     PISSN: 15662535     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.inffus.2009.01.005     Document Type: Article

References (36)

1. Morin B., Mé L., Debar H., and Ducassé M. M2D2: a formal data model for IDS alert correlation. In: Wespi A., Vigna G., and Deri L. (Eds). Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID'2002). Lecture Notes in Computer Science vol. 2516 (2002), Springer 115-127
2. K. Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security 6 (4).
3. Valeur F., Vigna G., Kruegel C., and Kemmerer R.A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1 3 (2004) 146-169
4. A. Valdes, K. Skinner, Probabilistic alert correlation, in: W. Lee, L. Mé, A. Wespi (Eds.), Proceedings of the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID'2001), LNCS, vol. 2212, 2001, pp. 54-68.
5. O.M. Dain, R.K. Cunningham, Fusing heterogeneous alert streams into scenarios, in: Proceedings of the Workshop on Data Mining for Security Applications, 8th ACM Conference on Computer and Communication Security, 2001.
6. O.M. Dain, R.K. Cunningham, Building scenarios from a heterogeneous alert stream, in: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, 2001.
7. H. Debar, A. Wespi, Aggregation and correlation of intrusion-detection alerts, in: W. Lee, L. Mé, A. Wespi (Eds.), Proceedings of the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID'2001), LNCS, vol. 2212, 2001, pp. 85-103.
8. S. Manganaris, M. Christensen, D. Zerkle, K. Hermiz, A data mining analysis of RTID alarms, in: Web Proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99), September 1999. .
9. B. Morin, H. Debar, Conceptual analysis of intrusion alarms, in: F. Roli, S. Vitulano (Eds.), 13th International Conference on Image Analysis and Processing, Lecture Notes in Computer Science, vol. 3617, 2005, pp. 91-98 (special session on Computer Security).
10. Morin B., and Debar H. Correlation of intrusion symptoms: an application of chronicles. In: Vigna G., Jonsson E., and Krügel C. (Eds). Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'2003). Lecture Notes in Computer Science vol. 2820 (2003), Springer 94-112
11. E. Totel, B. Vivinis, L. Mé, A language driven intrusion detection system for event and alert correlation, in: Proceedings at the 19th IFIP International Information Security Conference, Kluwer Academic, Toulouse, 2004, pp. 209-224.
12. C. Michel, L. Mé, Adele: an attack description language for knowledge-based intrusion detection, in: Proceedings of the 16th International Conference on Information Security (IFIP/SEC 2001), 2001, pp. 353-365.
13. F. Cuppens, R. Ortalo, LAMBDA: a language to model a database for detection of attacks, in: H. Debar, L. Mé, S.F. Wu (Eds.), Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID'2000), LNCS, vol. 1907, 2000, pp. 197-216.
14. S.J. Templeton, K. Levitt, A requires/provides model for computer attacks, in: Proceedings of the 2000 New Security Paradigms Workshop (NSPW'00), 2000, pp. 31-38.
15. F. Cuppens, Managing alerts in a multi-intrusion detection environment, in: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), 2001.
16. P. Ning, D. Xu, C.G. Healey, R.S. Amant, Building attack scenarios through integration of complementary alert correlation methods, in: 11th Annual Network and Distributed System Security Symposium, 2004.
17. Y. Thomas, B. Morin, H. Debar, Improving security management through passive network observation, in: First International Conference on Availability, Reliability and Security (ARES), 2006.
18. D.E. Mann, S.M. Christey, Towards a common enumeration of vulnerabilities, in: Proceedings of the 2nd Workshop on Research with Security Vulnerability Databases, 1999.
19. R.P. Goldman, W. Heimerdinger, S.A. Harp, C.W. Geib, V. Thomas, Information modeling for intrusion report aggregation, in: Proceedings of the DARPA Information Survivability Conference and Exposition, 2001.
20. Ferre S. Camelis: a logical information system to organize and browse a collection of documents. International Journal of General Systems 38 4 (2009)
21. H. Debar, M. Dacier, A. Wespi, A revised taxonomy for intrusion-detection systems, Tech. Rep. rz3176, IBM Zurich Research Laboratory, October 1999.
22. H. Debar, D. Curry, RFC 4765, IETF, November 2006.
23. J.D. Howard, T.A. Longstaff, A common language for computer security incidents, Tech. Rep. SAND98-8667, Sandia National Laboratories, October 1998.
24. V. Raskin, C.F. Hempelmann, K.E. Triezenberg, S. Nirenburg, Ontology in information security: a useful theoretical foundation and methodological tool, in: Proceedings of the 2001 workshop on New security paradigms, ACM Press, 2001, pp. 53-59.
25. Kemmerer R., and Vigna G. Intrusion detection: a brief history and overview. IEEE Computer - Special publication on Security and Privacy (2002) 27-30
26. J. Undercoffer, A. Joshi, J. Pinkston, Modeling computer attacks: An ontology for intrusion detection, in: G. Vigna, E. Jonsson, C. Krügel (Eds.), Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'2003), Lecture Notes in Computer Science, vol. 2820, Springer, 2003, pp. 113-135.
27. J.L. Undercoffer, A. Joshi, T. Finin, J. Pinkston, A target-centric ontology for intrusion detection, in: The 18th International Joint Conference on Artificial Intelligence, 2003.
28. Vigna G., and Kemmerer R.A. NetSTAT: a network-based intrusion detection system. Journal of Computer Security 7 1 (1999) 37-71
29. P.A. Porras, M.W. Fong, A. Valdes, A mission-impact-based approach to infosec alarm correlation, in: A. Wespi, G. Vigna, L. Deri (Eds.), Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID'2002), Lecture Notes in Computer Science, vol. 2516, Springer, 2002, pp. 95-114.
30. R. Feiertag, C. Kahn, P. Porras, D. Schnackenberg, S. Staniford-Chen, B. Tung, A common intrusion specification language (CISL), Specification draft, March 2000. .
31. B. Tung, The common intrusion specification language: a retrospective, in: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX'00), vol. 2, 2000, pp. 36-45.
32. P. Ning, X.S. Wang, S. Jajodia, Modeling requests among cooperating intrusion detection systems, in: Computer Communications, vol. 23, 2000, pp. 1702-1716.
33. P. Ning, X.S. Wang, S. Jajodia, A query facility for common intrusion detection framework, in: 23rd National Information Systems Security Conference, 2000, pp. 317-328.
34. F. Cuppens, A. Miège, Alert correlation in a cooperative intrusion detection framework, in: Proceedings of the IEEE Symposium on Security and Privacy, 2002, pp. 202-215.
35. Baader F., Calvanese D., McGuinness D., Nardi D., and Patel-Schneider P. The Description Logic Handbook (2003), Cambridge University Press
36. R. Zakeri, R. Jalili, H.R. Shahriari, H. Abolhassani, Using description logics for network vulnerability analysis, in: International Conference on Networking, Systems, Mobile Communications and Learning Technologies, IEEE Computer Society, 2006.