Abstract
Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a strong need to identify the algebraic and set properties of capability. In this work, we identify the potential algebraic properties of capability in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which will be helpful in making the system modular. This paper also presents variant of correlation algorithm by using these algebraic properties. To make these operations more realistic, existing capability model has been empowered by adding time-based notion which helps to avoid temporal ambiguity between capability instances. The comparison between basic model and proposed model is exhibited by demonstrating cases in which false positives have been removed that occurred due to temporal ambiguity.
Chapter PDF
Similar content being viewed by others
References
Dawkins, J., Hale, J.: A systematic approach to multi-stage network attack analysis. In: Information Assurance Workshop, 2004. Proceedings. Second IEEE International, April 8-9, 2004, pp. 48–56 (2004)
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Gosh, A.K., Wanken, J., Charron, F.: Detecting anomalous and unknown intrusions against programs. In: ACSAC 1998: Proceedings of the 14th Annual Computer Security Applications Conference, Washington, DC, USA, p. 259. IEEE Computer Society, Los Alamitos (1998)
Javits, V.: The NIDES statistical component: Description and justification (March 1993), http://www.csl.sri.com/papers/statreport
Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: SP 1997: Proceedings of the 1997 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 175. IEEE Computer Society, Los Alamitos (1997)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251–261. ACM, New York, NY, USA (2003)
Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: alternative data models. Security and Privacy, 1999. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, 133–145 (1999)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Neumann, P.G., Porras, P.A.: Experience with emerald to date. In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Berkeley, CA, USA, pp. 73–80. USENIX Association (1999)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: LISA 1999: Proceedings of the 13th USENIX conference on System administration, Berkeley, CA, USA, pp. 229–238. USENIX Association (1999)
Vigna, G., Kemmerer, R.A.: Netstat: a network-based intrusion detection system. J. Comput. Secur. 7(1), 37–71 (1999)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: Statl: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1-2), 71–103 (2002)
Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, pp. 360–369. Springer, Heidelberg (2004)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: NSPW 2000: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2000)
Zhou, J., Heckman, M., Reynolds, B., Carlson, A., Bishop, M.: Modeling network intrusion detection alerts for correlation. ACM Trans. Inf. System Secur. 10(1), 4 (2007)
Pouget, F., Dacier, M.: Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institut Eurecom, France (December 2003)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of rtid alarms. Computer Networks 34(4), 571–577 (2000)
Michel, C., Mé, L.: Adele: an attack description language for knowledge-based intrustion detection. In: Sec 2001: Proceedings of the 16th international conference on Information security: Trusted information, pp. 353–368 (2001)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 202. IEEE Computer Society, Los Alamitos (2002)
Siraj, A., Vaughn, R.B.: Alert correlation with abstract incident modeling in a multi-sensor environment. IJCSNS International Journal of Computer Science and Network Security 7(8), 8–19 (2007)
Morin, B., Mé, L., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering, pp. 88–97. ACM, New York (2003)
Yang, D., Chen, G., Wang, H., Liao, X.: Learning vector quantization neural network method for network intrusion detection. Wuhan University Journal of Natural Sciences 12(1), 147–150 (2007)
Mehdi, M., Zair, S., Anou, A., Bensebti, M.: A bayesian networks in intrusion detection systems. Journal of Computer Science 3(5), 259–265 (2007)
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2d2: A formal data model for ids alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)
Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. 7(2), 274–318 (2004)
Li, N., Wang, Q.: Beyond separation of duty: an algebra for specifying high-level security policies. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 356–369. ACM, New York (2006)
Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur. 6(2), 286–325 (2003)
Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Pandey, N.K., Gupta, S.K., Leekha, S. (2008). Algebra for Capability Based Attack Correlation. In: Onieva, J.A., Sauveron, D., Chaumette, S., Gollmann, D., Markantonakis, K. (eds) Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. WISTP 2008. Lecture Notes in Computer Science, vol 5019. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79966-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-79966-5_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79965-8
Online ISBN: 978-3-540-79966-5
eBook Packages: Computer ScienceComputer Science (R0)