Towards a Collaborative and Systematic Approach to Alert Verification

With the menace of hackers increasing every day, even well administrated networks are vulnerable to attack. Therefore, securing network assets has become a significant issue for the corporate world. Traditionally, the tools used for network security involve the firewall systems, the intrusion detection system (IDS), the anti-virus software, the vulnerability scanning software. Each of the above, used independently or in conjunction, is not capable of withstanding the onslaught of various network threats. To solve the problem, collaborative security paradigms, which integrate some security devices closely to provide accurate alerts and attain enhanced protection are emerging. In this paper we present a collaborative framework of vulnerability-based alert verification. Along with conducting systematic analyses on contextual information modeling, alert verification is applied above intrusion detection aimed at helping determine whether the attack was successful or not. Based on the confidence assigned in the process of verification, appropriate actions can be taken to deal with the attacks. That confidence enables an administrator to perform further analysis: identifying the alerts and prioritizing defense accordingly.

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  Yeu-Pong Lai,et al.  Using the vulnerability information of computer systems to improve the network security , 2007, Comput. Commun..

[3]  C. R. Ramakrishnan,et al.  Model-Based Vulnerability Analysis of Computer Systems , 1998 .

[4]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[5]  Salim Hariri,et al.  A Framework for Network Vulnerability Analysis , 2002, Communications, Internet, and Information Technology.

[6]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[7]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[8]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.

[9]  Salvatore J. Stolfo,et al.  Cost-based modeling for fraud and intrusion detection: results from the JAM project , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[11]  Aleksandar Lazarevic Data Mining for Intrusion Detection , 2005 .

[12]  Y. V. Ramana Reddy,et al.  TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation , 2005, Adv. Eng. Informatics.

[13]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[14]  Xuejiao Liu,et al.  An adaptive architecture of applying vulnerability analysis to IDS alerts , 2008, ICAIT '08.

[15]  Wenke Lee,et al.  Cost-based Modeling and Evaluation for Data Mining With Application to Fraud and Intrusion Detection : Results from the JAM Project ∗ , 2008 .

[16]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[17]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[18]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[19]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[20]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[21]  Sushil Jajodia,et al.  V-COPS: A Vulnerability-Based Cooperative Alert Distribution System , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).