Improving the Quality of Alerts with Correlation in Intrusion Detection

Summary With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. In this paper, we present an alert correlation technique based on causal relationships between alerts. The goal of the proposed technique is not only to group alerts together, but also to represent the correlated alerts in a way that they reflect the corresponding attack scenarios.

[1]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[2]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[3]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[4]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[5]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[6]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Peng Ning,et al.  Hypothesizing and reasoning about attacks missed by intrusion detection systems , 2004, TSEC.

[8]  Yiquan Hu,et al.  TIAA: A Toolkit for Intrusion Alert Analysis , 2004 .

[9]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[10]  E. Bloedorn,et al.  Data mining for network intrusion detection : How to get started , 2001 .

[11]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[12]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[13]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[14]  Deborah A. Frincke,et al.  A Novel Framework for Alert Correlation and Understanding , 2004, ACNS.