TIAA: A visual toolkit for intrusion alert analysis

This paper presents the development of TIAA, a visual toolkit for intrusion alert analysis. TIAA is developed to provide an interactive platform for analyzing potentially large sets of intrusion alerts reported by heterogeneous intrusion detection systems (IDSs). To ensure timely response from the system, TIAA adapts main memory index structures and query optimization techniques to improve the efficiency of intrusion alert correlation. TIAA includes a number of useful utilities to help analyze potentially intensive intrusion alerts, including alert aggregation/disaggregation, clustering analysis, focused analysis, frequency analysis, link analysis, and association analysis. Moreover, TIAA provides several ways to visualize the analysis results, making it easier for a human analyst to understand the analysis results. It is envisaged that a human analyst and TIAA form a man-machine team, with TIAA performing automated tasks such as intrusion alert correlation and execution of analysis utilities, and the human analyst deciding what sets of alerts to analyze and how the analysis utilities are applied.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[3]  Peng Ning,et al.  Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation , 2002 .

[4]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[5]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[6]  Ravi Krishnamurthy,et al.  Design of a Memory Resident DBMS , 1985, IEEE Computer Society International Conference.

[7]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[8]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[9]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[10]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[11]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[12]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[13]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[14]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[15]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[16]  Witold Litwin,et al.  Linear Hashing: A new Algorithm for Files and Tables Addressing , 1980, ICOD.

[17]  Alfred V. Aho,et al.  The Design and Analysis of Computer Algorithms , 1974 .

[18]  Douglas Comer,et al.  Ubiquitous B-Tree , 1979, CSUR.

[19]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[20]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[21]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[22]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[23]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[24]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[25]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[26]  Giovanni Vigna,et al.  Designing a Web of Highly-Configurable Intrusion Detection Sensors , 2001, Recent Advances in Intrusion Detection.

[27]  Jennifer Widom,et al.  Database System Implementation , 2000 .