Automatic multi-step attack pattern discovering

International Journal of Network Security

Volumn 10, Issue 2, 2010, Pages 142-152

  Wang, Li ^a   Ghorbani, Ali ^a   Li, Yao ^a  

^a UNIVERSITY OF NEW BRUNSWICK   (Canada)

Author keywords

Alert correlation; Correlativity; Extension time window; Multi step attack pattern

Indexed keywords

ALERT CORRELATION; ATTACK PATTERNS; COMPUTING WORKLOADS; CORRELATIVITY; MULTI-STEP ATTACKS; QUANTITATIVE CORRELATION; SECURITY ALERTS; TIME WINDOWS;

EXPERIMENTS;

NETWORK SECURITY;

EID: 79959289473     PISSN: 1816353X     EISSN: 18163548     Source Type: Journal    
DOI: None     Document Type: Article

References (20)

1. C. Araujo, A. Biazetti, A. Bussani, J. Dinger, M. Feridun, and A. Tanner, "Simplifying correlation rule creation for effective systems monitoring," 15th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM, Davis, CA, USA, pp. 266-268, 2004.
2. S. Benferhat, F. Autrel, F. Cuppens, "Enhanced correlation in an intrusion detection process," Second International Workshop Mathematical Methods, Models and Architectures for Computer Networks Security, pp. 157-170, 2003.
3. F. Cuppens, "Managing alerts in multi-intrusion detection environment," 17th ACSAC conference, New Orleans, pp. 22, December 2001.
4. F. Cuppens, A. Miuege, "Alert correlation in a cooperative intrusion detection framework," IEEE symposium on security and privacy, Oakland, pp. 202, May 2002.
5. K. Julisch, "Mining alarm clusters to improve alarm handling eciency," 17th Annual Computer Security Applications Conference, New Orleans, LA, USA, pp.0012, 2001.
6. K. Julisch, "Clustering intrusion detection alarms to support root cause analysis," ACM Transaction on Information and System Security, vol. 6, pp. 443-471, 2003.
7. P. Kabiri and A. A. Ghorbani, "A Rule-based Temporal Alert Correlation System," International Journal of Network Security, vol. 5, no. 1, pp. 66-72, 2007.
8. W. Lee and X. Qin, "Statistical causality analysis of INFOSEC alert data," RAID'03, pp. 73-93, 2003.
9. W. Li, Z. T. Li, J. Lei, D. Li, "Attack scenario construction with a new sequential mining technique," SNPD'07, pp. 872-877, 2007.
10. MIT Lincoln Lab. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. (http:// www.ll.mit. edu/ IST/ideval/data/2000/2000 dataindex.html)
11. MIT Lincoln Lab. Tcpdump File Replay Utility. (http://ideval.ll.mit.edu/IST/ideval/tools/ toolsindex.html)
12. P. Ning, Y. Cui, and D. S. Reeves, "Constructing attack scenarios through correlation of intrusion alerts," 9th ACM Conference on Computer and Communications Security, Washington, DC, United States, pp. 245-254, 2002.
13. P. Ning, Y. Cui, D. S. Reeves, and D. Xu, "Techniques and tools for analyzing intrusion alerts," ACM Transactions on Information and System Security, vol. 7, pp. 274, 2004.
14. P. Ning and D. Xu, "Alert correlation through triggering events and common resources," ACSAC'04, Tucson, AZ, USA, pp. 360-369, 2004.
15. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273, May 2002.
16. N. Srinivasan and V. Vaidehi, "Performance analysis of soft computing based anomaly detectors," International Journal of Network Security, vol. 7, no. 3, pp. 436-447, 2008.
17. A. Valdes and K. Skinner, "Probabilistic alert correlation," Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, LNCS 2212, pp. 54-68, Oct. 2001.
18. Q. Xinzhou and L. Wenke, "Discovering novel attack strategies from INFOSEC alerts," ESORICS'04, pp. 439-456, 2004.
19. A. Zhu and A. A. Ghorbani, "Alert correlation for extracting attack strategies," International Journal of Network Security, vol. 3, no. 3, pp. 244-258, 2006.
20. Y. Zhu, X. Fu, and R. Bettati, "On the effectiveness of continuous-time mixes under ow-correlation based anonymity attacks," International Journal of Network Security, vol. 7, no. 1, pp. 130-140, 2008.