Toward automated intrusion alert analysis

Network Security

Volumn , Issue , 2010, Pages 175-205

  Ning, Peng ^a   Xu, Dingbang ^a  

^a North Carolina State University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84860670029     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1007/978-0-387-73821-5_8     Document Type: Chapter

References (39)

1. R. Agrawal, T. Imielinski, and A. N. Swami. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data, pages 207-216, 1993.
2. P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217-224, November 2002.
3. J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, 1980.
4. R. G. Bace. Intrusion Detection. Macmillan Technology Publishing, Indianapolis, 2000.
5. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
6. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
7. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proceedings of Recent Advances in Intrusion Detection (RAID 2000), pages 197-216, September 2000.
8. O. Dain and R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1-13, November 2001.
9. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85-103, 2001.
10. DEFCON. Def con capture the flag (CTF) contest. http://www.defcon.org/ html/defcon-8-post.html, July 2000. Archive accessible at http://wi2600.org/ mediawhore/mirrors/shmoo/.
11. S. T. Eckmann, G. Vigna, and R. A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1/2):71-104, 2002.
12. R. Gardner and D. Harle. Pattern discovery and specification translation for alarm correlation. In Proceedings of Network Operations and Management Symposium (NOMS'98), pages 713-722, February 1998.
13. B. Gruschke. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management, October 1998.
14. K. Ilgun, R. A. Kemmerer, and P. A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering, 21(3):181-199, 1995.
15. D. A. Jackson, K. M. Somers, and H. H. Harvey. Similarity coefficients: Measures of cooccurence and association or simply measures of occurrence? The American Naturalist, 133(3):436-453, March 1989.
16. A. K. Jain and R. C. Dubes. Algorithms for Clustering Data. Prentice Hall, Englewood Cliffs, 1988.
17. S. Jha, O. Sheyner, and J. M. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop, June 2002.
18. K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pages 12-21, December 2001.
19. S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue University, August 1995.
20. S. Kumar and E. H. Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11-21, October 1994.
21. J. Lin, X. S. Wang, and S. Jajodia. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, pages 190-201, Rockport, MA, June 1998.
22. S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A data mining analysis of RTID alarms. Computer Networks, 34:571-577, 2000.
23. MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000dataindex.html, 2000.
24. B. Morin, L. Mé, H. Debar, and M. Ducassé. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 115-137, 2002.
25. B. Mukherjee, L. T. Heberlein, and K. N. Levitt. Network intrusion detection. IEEE Network, 8(3):26-41, May 1994.
26. P. Ning, Y. Cui, and D. S Reeves. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 74-94, Zurich, Switzerland, October 2002.
27. P. Ning, Y. Cui, and D. S Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 245-254, Washington, D. C., November 2002.
28. P. Ning and D. Xu. Adapting query optimization techniques for efficient intrusion alert correlation. In Proceedings of the 17th IFIP WG 11.3 Working Conference on Data and Application Security (DAS'03), August 2003.
29. P. Ning and D. Xu. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 200-209, October 2003.
30. Packet storm. http://packetstormsecurity.nl. Accessed on April 30, 2003.
31. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.
32. P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95-114, 2002.
33. C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1/2):189-209, 2002.
34. L. Ricciulli and N. Shacham. Modeling correlated alarms in network management systems. In In Western Simulation Multiconference, 1997.
35. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
36. S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105-136, 2002.
37. S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31-38. ACM Press, September 2000.
38. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001.
39. G. Vigna and R. A. Kemmerer. NetSTAT: A network-based intrusion detection system. Journal of Computer Security, 7(1):37-71, 1999.