Correlation analysis of intrusion alerts

Advances in Information Security

Volumn 38, Issue , 2008, Pages 65-92

  Xu, Dingbang ^a   Ning, Peng ^b  

^a North Carolina State University   (United States)

^b GOVERNORS STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 78049324449     PISSN: 15682633     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-0-387-77265-3_4     Document Type: Article

References (39)

1. TIAA: A toolkit for intrusion alert analysis. http://discovery.csc.ncsu.edu/software/correlator/, 2004.
2. J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, 1980.
3. Brian Caswell and Marty Roesch. Snort: The open source network intrusion detection system. http://www.snort.org.
4. CERT Coordinate Center. Overview of attack trends. http://www.cert.org/archive/pdf/attack trends.pdf, 2002. Accessed in August 2004.
5. T. Cover and J. Thomas. Elements of Information Theory. John Wiley & Sons, Inc., 1991.
6. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
7. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
8. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proc. of Recent Advances in Intrusion Detection (RAID 2000), pages 197-216, September 2000.
9. D. Curry and H. Debar. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet Draft, draft-ietf-idwg-idmefxml-03.txt, February 2001.
10. DARPA Cyber Panel Program. DARPA cyber panel program grand challenge problem. http://www.grandchallengeproblem.net/, 2003.
11. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85-103, 2001.
12. DEFCON. Def con capture the flag (CTF) contest. http://www.defcon.org/html/defcon-9/defcon-9-pre.html, July 2001.
13. Fyodor. Nmap free security scanner. http://www.insecure.org/nmap, 2003.
14. C. Granger. Investigating causal relations by econometric methods and cross-spectral methods. Econometrica, 34:424-428, 1969.
15. J. Han and M. Kamber. Data Mining: Concepts and Techniques. Morgan Kaufmann, 2000. ISBN 1-55860-489-8.
16. SRI International. Cyber-threat analytics (Cyber-TA). http://www.cyber-ta.org/.
17. Internet Security Systems. RealSecure intrusion detection system. http://www.iss.net.
18. K. Julisch. Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security, 6(4):443-471, Nov 2003.
19. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.
20. L. Kaufman and P. J. Rousseeuw. Finding Groups in Data: An Introduction to Cluster Analysis. John Wiley and Sons, 1990.
21. P. Lincoln, P. Porras, and V. Shmatikov. Privacy-preserving sharing and correlation of security alerts. In Proceedings of 13th USENIX Security Symposium, August 2004.
22. MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000dataindex.html, 2000.
23. B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Conference on Recent Advances in Intrusion Detection (RAID'03), September 2003.
24. B. Morin, L. Mé, H. Debar, and M. Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115-137, 2002.
25. P. Ning, Y. Cui, and D.S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245-254, Washington, D.C., November 2002.
26. P. Ning, Y. Cui, D.S. Reeves, and D. Xu. Tools and techniques for analyzing intrusion alerts. ACM Transactions on Information and System Security, 7(2):273-318, May 2004.
27. P. Ning and D. Xu. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security, 7(4):591-627, November 2004.
28. The Department of Homeland Security Science and Technology directorate. PREDICT - protected repository for the defense of infrastructure against cyber threats. https://www.predict.org.
29. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.
30. P.A. Porras, M.W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95-114, 2002.
31. X. Qin and W. Lee. Statistical causality analysis of infosec alert data. In Proceedings of The 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.
32. S. Staniford, J.A. Hoagland, and J.M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105-136, 2002.
33. J. Ullrich. D Shield - distributed intrusion detection system. http://www.dshield.org.
34. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001.
35. G. Vigna and R. A. Kemmerer. NetSTAT: A network-based intrusion detection system. Journal of Computer Security, 7(1):37-71, 1999.
36. D. Xu and P. Ning. Alert correlation through triggering events and common resources. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC '04), December 2004.
37. D. Xu and P. Ning. Privacy-preserving alert correlation: A concept hierarchy based approach. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05), December 2005.
38. D. Xu and P. Ning. A flexible approach to intrusion alert anonymization and correlation. In Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006), August 2006.
39. Y. Zhai, P. Ning, P. Iyer, and D.S. Reeves. Reasoning about complementary intrusion evidence. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC '04), December 2004.