Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2003: Recent Advances in Intrusion Detection pp 73–93Cite as

Statistical Causality Analysis of INFOSEC Alert Data

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Abstract

With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of distributed denial of service attacks using mib traffic variables - a feasibility study. In: Proceedings of IFIP/IEEE International Symposium on Integrated Network Management, IM 2001 (May 2001)

    Google Scholar 

  2. Cabrera, J.B.D., Mehra, R.K.: Extracting precursor rules from time series - a classical statistical viewpoint. In: Proceedings of the Second SIAM International Conference on Data Mining, pp. 213–228, Arlington, VA, USA (April 2002)

    Google Scholar 

  3. Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Mehra, R.K.: Proactive intrusion detection and distributed denial of service attacks - a case study in security management. Journal of Network and Systems Management 10(2) (June 2002)

    Google Scholar 

  4. Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. (April 2003)

    Google Scholar 

  5. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215, Oakland, CA (May 2002)

    Google Scholar 

  6. DAPRA Cyber Panel Program. DARPA cyber panel program grand challenge problem, GCP (2003), http://ia.dc.teknowledge.com/CyP/GCP/

  7. Debar, H., Wespi, A.: The intrusion-detection console correlation mechanism. In: 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2001)

    Google Scholar 

  8. DEFCON. Def con capture the flag (ctf) contest (2000), http://www.defcon.org Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/

  9. DEFCON. Def con capture the flag (ctf) contest, http://www.defcon.org (2001), Archive accessible at http://smokeping.planetmirror.com/pub/cctf/defcon9/

  10. Goldman, R.P., Heimerdinger, W., Harp, S.A.: Information modleing for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (June 2001)

    Google Scholar 

  11. Granger, C.W.J.: Investigating causal relations by econometric methods and crossspectral methods. Econometrica 34, 424–428 (1969)

    Article  Google Scholar 

  12. IETF Intrusion Detection Working Group. Intrusion detection message exchange format (2002), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-09.txt

  13. Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Security & Privacy Magazine (January/February 2003)

    Google Scholar 

  14. Hamilton, J.: Time Series Analysis. Princeton University Press, Princeton (1994)

    MATH  Google Scholar 

  15. Hayter, A.J.: Probability and Statistics for Engineers and Scientists. Duxbury Press (2002)

    Google Scholar 

  16. Jakobson, G., Weissman, M.D.: Alarm correlation. IEEE Network Magazine (November 1993)

    Google Scholar 

  17. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: The 8th ACM International Conference on Knowledge Discovery and Data Mining (July 2002)

    Google Scholar 

  18. Kliger, S., Yemini, S., Yemini, Y., Oshie, D., Stolfo, S.: A coding approach to event correlations. In: Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management (May 1995)

    Google Scholar 

  19. Lewis, L.: A case-based reasoning approach to the management of faults in communication networks. In: Proceedings of the IEEE INFOCOM (1993)

    Google Scholar 

  20. Ljung, G.M., Box, G.E.P.: On a measure of lack of fit in time series models. Biometrika 65, 297–303 (1978)

    Article  MATH  Google Scholar 

  21. Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2002)

    Google Scholar 

  22. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conference on Computer and Communications Security (November 2002)

    Google Scholar 

  23. Nygate, Y.A.: Event correlation using rule and object based techniques. In: Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management (May 1995)

    Google Scholar 

  24. Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, Inc., San Francisco (1988)

    Google Scholar 

  25. Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based approach to INFOSEC alarm correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2002)

    Google Scholar 

  26. Stallings, W.: SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, Reading (1999)

    Google Scholar 

  27. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Institute of Technology, College of Computing, Atlanta, GA, 30332, USA

    Xinzhou Qin & Wenke Lee

Authors
  1. Xinzhou Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Qin, X., Lee, W. (2003). Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation