M4D4: a Logical Framework to Support Alert Correlation in Intrusion Detection

Managing and supervising security in large networks has become a challenging task, as new threats and aws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specic aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sucient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad-hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to conrm or invalidate alerts raised by intrusion detection systems.

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[3]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[4]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[5]  Hervé Debar,et al.  Improving security management through passive network observation , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[6]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .

[7]  정희영,et al.  IETF에서의 빠른 핸드오프 기술 표준화 동향 , 2002 .

[8]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[9]  B. Tung The Common Intrusion Specification Language: a retrospective , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[11]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[12]  Diego Calvanese,et al.  The Description Logic Handbook , 2007 .

[13]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[14]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[15]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[16]  Rasool Jalili,et al.  Using Description Logics for Network Vulnerability Analysis , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[17]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[18]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[19]  Sushil Jajodia,et al.  A Query Facility for Common Intrusion Detection Framework , 2000 .

[20]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[21]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[22]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[23]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[24]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[25]  Sushil Jajodia,et al.  Modeling requests among cooperating intrusion detection systems , 2000, Comput. Commun..

[26]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[27]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[29]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[30]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[31]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[32]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[33]  Hervé Debar,et al.  Conceptual Analysis of Intrusion Alarms , 2005, ICIAP.