Abstract
Among the challenges in the field of network security management, one significant problem is the increasing difficulty in identifying the security incidents which pose true threat to the protected network system from tremendous volume of raw security alerts. This paper presents our work on integrated management of network security data for true threat identification within the SATA (Security Alert and Threat Analysis) project. An algorithm for real-time threat analysis of security alerts is presented. Early experiments performed in a branch network of CERNET (China Education and Research Network) including an attack testing sub-network have shown that the system can effectively identify true threats from various security alerts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Manganaris, S., et al.: A data mining analysis of rtid alarms. Computer Networks 34(4), 571–577 (2000)
Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceedings 17th Annual Computer Security Applications Conference, New Orleans, LA, USA, pp. 12–13. IEEE Computer Society Press, Los Alamitos (2001)
Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to infosec alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 95. Springer, Heidelberg (2002)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana (2001)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)
Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: 2005 Annual Meeting of the North American Fuzzy Information Processing Society, Detroit, MI, USA, pp. 748–753. IEEE Computer Society Press, Los Alamitos (2005)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings New Security Paradigm Workshop, Ballycotton, Ireland, p. 31. ACM, New York (2001)
Ning, P., et al.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security 7(2), 274 (2004)
Ning, P., Xu, D.: Alert correlation through triggering events and common resources. In: Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, AZ, USA, pp. 360–361. IEEE Computer Society Press, Los Alamitos (2004)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 12–15 May 2002, p. 202. IEEE Computer Society Press, Los Alamitos (2002)
Lee, W., Qin, X.: Statistical causality analysis of infosec alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–94. Springer, Heidelberg (2003)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the USENIX LISA 99 Conference (1999)
Sourcefire, I.: Realtime network awareness (2004), http://www.sourcefire.com
Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004) (2004)
Nessus: Nessus vulnerability scanner, http://www.nessus.org/
Desai, N.: Ids correlation of va data and ids alerts (June 2003), http://www.securityfocus.com/infocus/1708
Eschelbeck, G., Krieger, M.: Eliminating noise from intrusion detection systems. Information Security Technical Report 8(4), 26 (2003)
Gula, R.: Correlating ids alerts with vulnerability information. Technical report (Dec. 2002)
Morin, B., et al.: M2d2: a formal data model for ids alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)
Wang, L., Li, Z.-t., Wang, Q.-h.: A novel technique of recognizing multi-stage attack behaviour. In: Proceedings. International Workshop on Networking, Architecture, and Storages, ShenYang, China, 1-3 Aug. 2006, pp. 188–193. IEEE Computer Society Press, Los Alamitos (2006)
CVE: Common vulnerabilities and exposures, http://www.cve.mitre.org/
NVD: National vulnerability database, http://nvd.nist.gov/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Li, Zt., Lei, J., Wang, L., Li, D., Ma, Ym. (2007). Towards Identifying True Threat from Network Security Data. In: Yang, C.C., et al. Intelligence and Security Informatics. PAISI 2007. Lecture Notes in Computer Science, vol 4430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71549-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-71549-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71548-1
Online ISBN: 978-3-540-71549-8
eBook Packages: Computer ScienceComputer Science (R0)