Correlation of Intrusion Symptoms: An Application of Chronicles

In this paper, we propose a multi-alarm misuse correlation component based on the chronicles formalism. Chronicles provide a high level declarative language and a recognition system that is used in other areas where dynamic systems are monitored. This formalism allows us to reduce the number of alarms shipped to the operator and enhances the quality of the diagnosis provided.

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  C. Dousson Alarm driven supervision for telecommunication network: II - On-line chronicle recognition , 1996 .

[3]  Christophe Dousson,et al.  Extending and Unifying Chronicle Representation with Event Counters , 2002, ECAI.

[4]  Fahiem Bacchus,et al.  A Non-Reified Temporal Logic , 1989, Artif. Intell..

[5]  Jean-Philippe Pouzol,et al.  Formal specication of intrusion signatures and detection rules , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[6]  Drew McDermott,et al.  A Temporal Logic for Reasoning About Processes and Plans , 1982, Cogn. Sci..

[7]  Marie-Odile Cordier,et al.  Alarm Driven Monitoring Based on Chronicles , 2000 .

[8]  Rina Dechter,et al.  Temporal Constraint Networks , 1989, Artif. Intell..

[9]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[10]  Jean-Philippe Pouzol,et al.  From Declarative Signatures to Misuse IDS , 2001, Recent Advances in Intrusion Detection.

[11]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[12]  Yoav Shoham,et al.  Temporal Logics in AI: Semantical and Ontological Considerations , 1987, Artif. Intell..

[13]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[14]  Christophe Dousson Alarm driven supervision for telecomunication network: II - On-line chronicle recognition : Génie et technologie logiciels pour les services et réseaux de télécommunication , 1996 .

[15]  Malik Ghallab,et al.  Situation Recognition: Representation and Algorithms , 1993, IJCAI.

[16]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  G. Jakobson,et al.  Alarm correlation , 1993, IEEE Network.

[18]  James F. Allen Towards a General Theory of Action and Time , 1984, Artif. Intell..

[19]  Hervé Debar,et al.  Intrusion Detection Exchange Format Data Model , 2000 .

[20]  Jean Goubault-Larrecq,et al.  Log auditing through model-checking , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[21]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..