Skip to main content
SpringerLink
Log in

Towards Identifying True Threat from Network Security Data

  • Conference paper
Intelligence and Security Informatics (PAISI 2007)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4430))

Included in the following conference series:

Abstract

Among the challenges in the field of network security management, one significant problem is the increasing difficulty in identifying the security incidents which pose true threat to the protected network system from tremendous volume of raw security alerts. This paper presents our work on integrated management of network security data for true threat identification within the SATA (Security Alert and Threat Analysis) project. An algorithm for real-time threat analysis of security alerts is presented. Early experiments performed in a branch network of CERNET (China Education and Research Network) including an attack testing sub-network have shown that the system can effectively identify true threats from various security alerts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Manganaris, S., et al.: A data mining analysis of rtid alarms. Computer Networks 34(4), 571–577 (2000)

    Article  Google Scholar 

  2. Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceedings 17th Annual Computer Security Applications Conference, New Orleans, LA, USA, pp. 12–13. IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  3. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to infosec alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 95. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  4. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  5. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana (2001)

    Google Scholar 

  6. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: 2005 Annual Meeting of the North American Fuzzy Information Processing Society, Detroit, MI, USA, pp. 748–753. IEEE Computer Society Press, Los Alamitos (2005)

    Chapter  Google Scholar 

  8. Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings New Security Paradigm Workshop, Ballycotton, Ireland, p. 31. ACM, New York (2001)

    Google Scholar 

  9. Ning, P., et al.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security 7(2), 274 (2004)

    Article  Google Scholar 

  10. Ning, P., Xu, D.: Alert correlation through triggering events and common resources. In: Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, AZ, USA, pp. 360–361. IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  11. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 12–15 May 2002, p. 202. IEEE Computer Society Press, Los Alamitos (2002)

    Chapter  Google Scholar 

  12. Lee, W., Qin, X.: Statistical causality analysis of infosec alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–94. Springer, Heidelberg (2003)

    Google Scholar 

  13. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the USENIX LISA 99 Conference (1999)

    Google Scholar 

  14. Sourcefire, I.: Realtime network awareness (2004), http://www.sourcefire.com

  15. Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004) (2004)

    Google Scholar 

  16. Nessus: Nessus vulnerability scanner, http://www.nessus.org/

  17. Desai, N.: Ids correlation of va data and ids alerts (June 2003), http://www.securityfocus.com/infocus/1708

  18. Eschelbeck, G., Krieger, M.: Eliminating noise from intrusion detection systems. Information Security Technical Report 8(4), 26 (2003)

    Google Scholar 

  19. Gula, R.: Correlating ids alerts with vulnerability information. Technical report (Dec. 2002)

    Google Scholar 

  20. Morin, B., et al.: M2d2: a formal data model for ids alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  21. Wang, L., Li, Z.-t., Wang, Q.-h.: A novel technique of recognizing multi-stage attack behaviour. In: Proceedings. International Workshop on Networking, Architecture, and Storages, ShenYang, China, 1-3 Aug. 2006, pp. 188–193. IEEE Computer Society Press, Los Alamitos (2006)

    Chapter  Google Scholar 

  22. CVE: Common vulnerabilities and exposures, http://www.cve.mitre.org/

  23. NVD: National vulnerability database, http://nvd.nist.gov/

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Huazhong University of Science and Technology, 430074 Wuhan, Hubei, China

    Zhi-tang Li, Jie Lei, Li Wang, Dong Li & Yang-ming Ma

Authors
  1. Zhi-tang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jie Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Li Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yang-ming Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher C. Yang Daniel Zeng Michael Chau Kuiyu Chang Qing Yang Xueqi Cheng Jue Wang Fei-Yue Wang Hsinchun Chen

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Berlin Heidelberg

About this paper

Cite this paper

Li, Zt., Lei, J., Wang, L., Li, D., Ma, Ym. (2007). Towards Identifying True Threat from Network Security Data. In: Yang, C.C., et al. Intelligence and Security Informatics. PAISI 2007. Lecture Notes in Computer Science, vol 4430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71549-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-71549-8_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-71548-1

  • Online ISBN: 978-3-540-71549-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation