Building Attack Scenarios through Integration of Complementary Alert Correlation Methods

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2004

Volumn , Issue , 2004, Pages

  Ning, Peng ^a   Xu, Dingbang ^a   Healey, Christopher G ^a   St Amant, Robert ^a  

^a North Carolina State University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTRUSION DETECTION; NETWORK SECURITY;

ALERT CORRELATION; ATTACKS SCENARIOS; AUDIT DATA; CAUSAL RELATIONSHIPS; IN-BUILDINGS; INTRUSION ALERT CORRELATION; INTRUSION ALERTS; INTRUSION DETECTION SYSTEMS; MISSED ATTACKS; PERFORMANCE;

CORRELATION METHODS;

EID: 79958186026     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (27)

1. P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217–224, November 2002.
2. AT & T Research Labs. Graphviz - open source graph layout and drawing software. http://www.research.att.com/sw/tools/graphviz/.
3. G. Combs. The ethereal network analyzer. http://www.ethereal.com.
4. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
5. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
6. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proc. of Recent Advances in Intrusion Detection (RAID 2000), pages 197–216, September 2000.
7. O. Dain and R. Cunningham. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pages 231–235, June 2001.
8. O. Dain and R. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1–13, Nov. 2001.
9. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85 – 103, 2001.
10. S. Eckmann, G. Vigna, and R. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1/2):71–104, 2002.
11. Internet Security Systems. RealSecure intrusion detection system. http://www.iss.net.
12. S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop, June 2002.
13. K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pages 12–21, December 2001.
14. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.
15. MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html, 2000.
16. B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Conference on Recent Advances in Intrusion Detection (RAID’03), September 2003.
17. B. Morin, L. Mé, H. Debar, and M. Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115–137, 2002.
18. P. Ning and Y. Cui. Intrusion alert correlator (version 0.2). http://discovery.csc.ncsu.edu/software/correlator/ver0.2/iac.html, 2002.
19. P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245–254, Washington, D.C., November 2002.
20. P. Ning and D. Xu. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, October 2003. To appear.
21. P. Porras, M. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95–114, 2002.
22. X. Qin and W. Lee. Statistical causality analysis of infosec alert data. In Proceedings of The 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
23. C. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1/2):189–209, 2002.
24. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
25. S. Staniford, J. Hoagland, and J. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105–136, 2002.
26. S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31 – 38. ACM Press, September 2000.
27. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54–68, 2001.