论文信息 - Real-time multistage attack awareness through enhanced intrusion alert clustering

Real-time multistage attack awareness through enhanced intrusion alert clustering

Correlation and fusion of intrusion alerts to provide effective situation awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example and demonstrate that this effectively improves real-time situation awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios

[1] Stuart McClure,et al. Hacking Exposed; Network Security Secrets and Solutions , 1999 .

[2] Shambhu J. Upadhyaya,et al. An alert fusion framework for situation awareness of coordinated multistage attacks , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[3] Thomas A. Longstaff,et al. A common language for computer security incidents , 1998 .

[4] Erland Jonsson,et al. How to systematically classify computer security intrusions , 1997, S&P 1997.

[5] Stuart McClure,et al. Hacking Exposed: Network Security Secrets and Solutions, Fourth Edition , 2001 .

[6] George Kurtz,et al. Hacking Exposed , 2005 .

[7] Jeffrey Undercoffer,et al. Modeling Computer Attacks : A Target-Centric Ontology for Intrusion Detection , 2002 .

[8] Michael Hinman,et al. Building a Framework for Situation Awareness , 2004 .

[9] Edward G. Amoroso,et al. Fundamentals of computer security technology , 1994 .