Abstract
To defend against a multi-step network intrusion, its progress needs to be monitored and predicted in real-time. For this purpose, isolated alerts must be correlated into attack scenarios as soon as the alerts arrive. Such efficient correlation of alerts demands an in-memory index to be built on received alerts. However, the finite memory implies that only a limited number of alerts inside a sliding window can be considered for correlation. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively invoking bogus alerts between the two steps. In either case, the correlation effort is defeated.
In this paper, we first address the above issue with a novel queue graph (QG) approach. Instead of explicitly correlating a new alert to all the old ones that prepare for it, the approach only correlates the new alert to the latest copy of each type of alerts. The correlation with other alerts is kept implicit using the temporal order between alerts. Consequently, the approach has a quadratic (in the number of alert types) memory requirement, and it can correlate two alerts that are arbitrarily far away (namely, an infinitely large sliding window with a quadratic memory requirement). Our second contribution is a unified method based on the QG approach that can correlate received alerts, hypothesize missing alerts, and predict future alerts all at the same time. Empirical results show that our method can fulfill those tasks faster than an IDS can report alerts. The method is thus a promising solution for administrators to monitor and predict the progress of an intrusion, and thus to take appropriate countermeasures in a timely manner.
This work was partially supported by the National Science Foundation under grant CCR-0113515, by Air Force Research Laboratory, Rome under the contract F30602-00-2-0512, and by Army Research Office under the grant DAAD19-03-1-0257.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 217–224 (2002)
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC 2001 (2001)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 187–200 (2002)
Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Proceedings of the 3rd International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp. 197–216 (2001)
Dain, O., Cunningham, R.K.: Building scenarios from a heterogeneous alert system. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (2001)
Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)
2000 darpa intrusion detection evaluation datasets (2000), http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 3rd International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp. 85–103 (2001)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10(1/2), 71–104 (2002)
Farmer, D., Spafford, E.H.: The COPS security checker system. In: USENIX Summer, pp. 165–170 (1990)
Habra, N., Charlier, B.L., Mounji, A., Mathieu, I.: ASAX: software architechture and rule-based language for universal audit trail analysis. In: Proceedings of the 2nd European Symposium on Research in Computer Security (ESORICS 1992), pp. 430–450 (2004)
IBM. IBM tivoli risk manager, Available at http://www.ibm.com/software/tivoli/products/risk-mgr/
SRI International. Event monitoring enabling responses to anomalous live disturbances (EMERALD), Available at http://www.sdl.sri.com/projects/emerald/
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Kluwer Academic Publisher, Dordrecht (2003)
Jha, S., Sheyner, O., Wing, J.M.: Two formal analysis of attack graph. In: Proceedings of the 15th Computer Security Foundation Workshop, CSFW 2002 (2002)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 366–375 (2002)
Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance adaptation in real-time intrusion detection systems. In: Proceedings of The 5th International Symposium on Recent Advances in Intrusion Detection, RAID 2002 (2002)
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pp. 115–137 (2002)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 245–254 (2002)
Ning, P., Xu, D.: Adapting query optimization techniques for efficient intrusion alert correlation. Technical report, NCSU, Department of Computer Science (2002)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003 (2003)
Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), pp. 97–111 (2004)
Noel, S., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distance. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004 (2004)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency grpahs. In: Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC 2003 (2003)
Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Software Eng. 25(5), 633–650 (1999)
OSSIM. Open source security information management, Available at http://www.ossim.net
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Qin, X., Lee, W.: Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), pp. 591–627 (2003)
Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS 2004), pp. 439–456 (2004)
Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy (S&P 2000), pp. 156–165 (2000)
Ritchey, R., O’Berry, B., Noel, S.: Representing TCP/IP connectivity for topological analysis of network security. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002), p. 25 (2002)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Conference, pp. 229–238 (1999)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 273–284 (2002)
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. Journal of Computer Security 10(1/2), 105–136 (2002)
Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 New Security Paradigms Workshop (NSPW 2000), pp. 31–38 (2000)
Treasure hunt datasets (2004), http://www.cs.ucsb.edu/vigna/treasurehunt/index.html
Turner, A.: Tcpreplay: Pcap editing and replay tools for *nix, Available at http://tcpreplay.sourceforge.net/
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54–68 (2001)
Wang, L., Liu, A., Jajodia, S.: Real-time analyses of intrusion alert streams. Technical report, Center for Secure Information Systems, George Mason University (2005)
Zerkle, D., Levitt, K.: Netkuang - a multi-host configuration vulnerability checker. In: Proceedings of the 6th USENIX Unix Security Symposium, USENIX 1996 (1996)
Zhai, Y., Ning, P., Iyer, P., Reeves, D.: Reasoning about complementary intrusion evidence. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 39–48 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, L., Liu, A., Jajodia, S. (2005). An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_15
Download citation
DOI: https://doi.org/10.1007/11555827_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)