Knowledge-Based Model to Represent Security Information and Reason About Multi-stage Attacks

In an intrusion detection context, none of the main detection approaches (signature-based and anomaly-based) are fully satisfactory. False positives and false negatives are the major limitations of such systems. The generated alerts are elementary and in huge numbers. Hence, alert correlation techniques are used to provide a complementary analysis to link elementary alerts and provide a more global intrusion view. It has been widely recognised that real cyber attacks consist of phases that are temporally ordered and logically connected.

[1]  Monis Akhlaq,et al.  MARS: Multi-stage Attack Recognition System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[2]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[3]  Monis Akhlaq,et al.  Event-Based Alert Correlation System to Detect SQLI Activities , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[4]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[5]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[6]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[7]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[8]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.