Abstract
With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.
This research is sponsored by DARPA under contract numbers F30602-99-C-0149 and N66001-00-C-8058. The views herein are those of the author(s) and do not necessarily reflect the views of the supporting agency.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Porras, P. and Neumann, P. “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances”, National Information Security Conference, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html
Valdes, A. and Skinner, S. “Adaptive, Model-based Monitoring for Cyber Attack Detection”, Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000. http://www.raid-symposium.org/raid2000/program.html
Valdes, A. and Skinner, S. “Blue Sensors, Sensor Correlation, and Alert Fusion”, Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000. http://www.raid-symposium.org/raid2000/program.html
Pearl, J. “Probabilistic Reasoning in Intelligent Systems”, Morgan-Kaufmann (1988).
Erlinger, M. and Stanniford, S. “Intrusion Detection Interchange Format”, http://www.ietf.org/html.charters/idwg-charter.html
National Infrastructure Protection Center advisory 01-004, http://www.nipc.gov/warnings/assessments/2001/01-004.htm, March 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Valdes, A., Skinner, K. (2001). Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_4
Download citation
DOI: https://doi.org/10.1007/3-540-45474-8_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive