Vulnerabilities Analyzing Model for Alert Correlation in Distributed Environment

With the growing deployment of host and network intrusion detection systems, managing alerts from these systems becomes critically important. A promising approach is to develop a cooperation module between several IDS to achieve alerts correlation and generate more global and synthetic alerts. Some approaches (e.g. TIAA) have developed an available solution to correlate intrusion alerts using prerequisites of intrusions, which constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. The biggest defect of these approaches lies in the complexity of the relation of consequences so that the correlation graphs maybe very huge and unreadable. The phenomenon occurs mainly because these approach correlation all alerts on an equal footing, which aren’t consider the influencing factors of different alerts on the same information system. We propose a model to achieve alert correlation which supplies information about the vulnerabilities. Similar to TIAA, we use a hyper-alert type to encode our knowledge about each type of attacks. Our approach is differing with TIAA on the definition of hyper-alert type and correlation measure. In addition, our proposal has a relational database implements parts and the corresponding tables are automatically generated from data sources. IDS and vulnerability scanner fill the database with events.

[1]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[2]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[3]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[4]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[6]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[7]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[8]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[10]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[11]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[12]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[13]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..