Advertisement

An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts

  • Lingyu Wang
  • Anyi Liu
  • Sushil Jajodia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)

Abstract

To defend against a multi-step network intrusion, its progress needs to be monitored and predicted in real-time. For this purpose, isolated alerts must be correlated into attack scenarios as soon as the alerts arrive. Such efficient correlation of alerts demands an in-memory index to be built on received alerts. However, the finite memory implies that only a limited number of alerts inside a sliding window can be considered for correlation. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively invoking bogus alerts between the two steps. In either case, the correlation effort is defeated.

In this paper, we first address the above issue with a novel queue graph (QG) approach. Instead of explicitly correlating a new alert to all the old ones that prepare for it, the approach only correlates the new alert to the latest copy of each type of alerts. The correlation with other alerts is kept implicit using the temporal order between alerts. Consequently, the approach has a quadratic (in the number of alert types) memory requirement, and it can correlate two alerts that are arbitrarily far away (namely, an infinitely large sliding window with a quadratic memory requirement). Our second contribution is a unified method based on the QG approach that can correlate received alerts, hypothesize missing alerts, and predict future alerts all at the same time. Empirical results show that our method can fulfill those tasks faster than an IDS can report alerts. The method is thus a promising solution for administrators to monitor and predict the progress of an intrusion, and thus to take appropriate countermeasures in a timely manner.

Keywords

Intrusion Detection Security Condition Result Graph Attack Scenario Attack Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 217–224 (2002)Google Scholar
  2. 2.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC 2001 (2001)Google Scholar
  3. 3.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 187–200 (2002)Google Scholar
  4. 4.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Proceedings of the 3rd International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp. 197–216 (2001)Google Scholar
  5. 5.
    Dain, O., Cunningham, R.K.: Building scenarios from a heterogeneous alert system. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (2001)Google Scholar
  6. 6.
    Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
  7. 7.
    2000 darpa intrusion detection evaluation datasets (2000), http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
  8. 8.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 3rd International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp. 85–103 (2001)Google Scholar
  9. 9.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10(1/2), 71–104 (2002)Google Scholar
  10. 10.
    Farmer, D., Spafford, E.H.: The COPS security checker system. In: USENIX Summer, pp. 165–170 (1990)Google Scholar
  11. 11.
    Habra, N., Charlier, B.L., Mounji, A., Mathieu, I.: ASAX: software architechture and rule-based language for universal audit trail analysis. In: Proceedings of the 2nd European Symposium on Research in Computer Security (ESORICS 1992), pp. 430–450 (2004)Google Scholar
  12. 12.
    IBM. IBM tivoli risk manager, Available at http://www.ibm.com/software/tivoli/products/risk-mgr/
  13. 13.
    SRI International. Event monitoring enabling responses to anomalous live disturbances (EMERALD), Available at http://www.sdl.sri.com/projects/emerald/
  14. 14.
    Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Kluwer Academic Publisher, Dordrecht (2003)Google Scholar
  15. 15.
    Jha, S., Sheyner, O., Wing, J.M.: Two formal analysis of attack graph. In: Proceedings of the 15th Computer Security Foundation Workshop, CSFW 2002 (2002)Google Scholar
  16. 16.
    Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 366–375 (2002)Google Scholar
  17. 17.
    Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance adaptation in real-time intrusion detection systems. In: Proceedings of The 5th International Symposium on Recent Advances in Intrusion Detection, RAID 2002 (2002)Google Scholar
  18. 18.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pp. 115–137 (2002)Google Scholar
  19. 19.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 245–254 (2002)Google Scholar
  20. 20.
    Ning, P., Xu, D.: Adapting query optimization techniques for efficient intrusion alert correlation. Technical report, NCSU, Department of Computer Science (2002)Google Scholar
  21. 21.
    Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003 (2003)Google Scholar
  22. 22.
    Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), pp. 97–111 (2004)Google Scholar
  23. 23.
    Noel, S., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distance. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004 (2004)Google Scholar
  24. 24.
    Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency grpahs. In: Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC 2003 (2003)Google Scholar
  25. 25.
    Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Software Eng. 25(5), 633–650 (1999)CrossRefGoogle Scholar
  26. 26.
    OSSIM. Open source security information management, Available at http://www.ossim.net
  27. 27.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  28. 28.
    Qin, X., Lee, W.: Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), pp. 591–627 (2003)Google Scholar
  29. 29.
    Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS 2004), pp. 439–456 (2004)Google Scholar
  30. 30.
    Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy (S&P 2000), pp. 156–165 (2000)Google Scholar
  31. 31.
    Ritchey, R., O’Berry, B., Noel, S.: Representing TCP/IP connectivity for topological analysis of network security. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002), p. 25 (2002)Google Scholar
  32. 32.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Conference, pp. 229–238 (1999)Google Scholar
  33. 33.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 273–284 (2002)Google Scholar
  34. 34.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. Journal of Computer Security 10(1/2), 105–136 (2002)Google Scholar
  35. 35.
    Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 New Security Paradigms Workshop (NSPW 2000), pp. 31–38 (2000)Google Scholar
  36. 36.
  37. 37.
    Turner, A.: Tcpreplay: Pcap editing and replay tools for *nix, Available at http://tcpreplay.sourceforge.net/
  38. 38.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54–68 (2001)Google Scholar
  39. 39.
    Wang, L., Liu, A., Jajodia, S.: Real-time analyses of intrusion alert streams. Technical report, Center for Secure Information Systems, George Mason University (2005)Google Scholar
  40. 40.
    Zerkle, D., Levitt, K.: Netkuang - a multi-host configuration vulnerability checker. In: Proceedings of the 6th USENIX Unix Security Symposium, USENIX 1996 (1996)Google Scholar
  41. 41.
    Zhai, Y., Ning, P., Iyer, P., Reeves, D.: Reasoning about complementary intrusion evidence. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 39–48 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Anyi Liu
    • 1
  • Sushil Jajodia
    • 1
  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations