A logic-based model to support alert correlation in intrusion detection

Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.

[1]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[2]  Sushil Jajodia,et al.  Modeling requests among cooperating intrusion detection systems , 2000, Comput. Commun..

[3]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .

[4]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[5]  Sébastien Ferré,et al.  Camelis: a logical information system to organise and browse a collection of documents , 2009, Int. J. Gen. Syst..

[6]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[7]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[8]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[9]  B. Tung The Common Intrusion Specification Language: a retrospective , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[11]  Diego Calvanese,et al.  The Description Logic Handbook , 2007 .

[12]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[13]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[14]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[15]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[16]  Hervé Debar,et al.  Improving security management through passive network observation , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[18]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[19]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[20]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[21]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[22]  Rasool Jalili,et al.  Using Description Logics for Network Vulnerability Analysis , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[23]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[24]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[25]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[26]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[27]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[28]  Hervé Debar,et al.  Conceptual Analysis of Intrusion Alarms , 2005, ICIAP.

[29]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[30]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.