Skip to main content
SpringerLink
Log in

A Multi-Sensor Model to Improve Automated Attack Detection

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

Most intrusion detection systems available today are using a single audit source for detection, even though attacks have distinct manifestations in different parts of the system. In this paper we investigate how to use the alerts from several audit sources to improve the accuracy of the intrusion detection system (IDS). Concentrating on web server attacks, we design a theoretical model to automatically reason about alerts from different sensors, thereby also giving security operators a better understanding of possible attacks against their systems. Our model takes sensor status and capability into account, and therefore enables reasoning about the absence of expected alerts. We require an explicit model for each sensor in the system, which allows us to reason about the quality of information from each particular sensor and to resolve apparent contradictions in a set of alerts.

Our model, which is built using Bayesian networks, needs some initial parameter values that can be provided by the IDS operator. We apply this model in two different scenarios for web server security. The scenarios show the importance of having a model that dynamically can adapt to local transitional traffic conditions, such as encrypted requests, when using conflicting evidence from sensors to reason about attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abad, C., Taylor, J., Sengul, C., Yurcik, W., Zhou, Y., Rowe, K.: Log correlation for intrusion detection: A proof of concept. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, p. 255. IEEE Computer Society, Los Alamitos (2003)

    Chapter  Google Scholar 

  2. Almgren, M., Debar, H., Dacier, M.: A lightweight tool for detecting web server attacks. In: Tsudik, G., Rubin, A. (eds.) Network and Distributed System Security Symposium (NDSS 2000), San Diego, USA, Feburary 3–4, 2000, pp. 157–170. Internet Society (2000)

    Google Scholar 

  3. Almgren, M., Jonsson, E., Lindqvist, U.: A comparison of alternative audit sources for web server attack detection. In: Erlingsson, Ú., Sabelfeld, A. (eds.) 12th Nordic Workshop on Secure IT Systems (NordSec 2007), October 11–12, pp. 101–112. Reykjavík University, Iceland (2007)

    Google Scholar 

  4. Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, November 1999. Kent Ridge Digital Labs (1999)

    Google Scholar 

  5. Breese, J., Koller, D.: Tutorial on Bayesian Networks. Internet (1997), http://robotics.stanford.edu/~koller/BNtut/BNtut.ppt

  6. Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, DC, April 22–24, 2003, vol. I, pp. 284–292 (2003)

    Google Scholar 

  7. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 202–215. IEEE Press, Los Alamitos (2002)

    Google Scholar 

  8. Dagorn, N.: Cooperative intrusion detection for web applications. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 286–302. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: RAID 2000: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 85–103. Springer, Heidelberg (2001)

    Google Scholar 

  10. Decision Systems Laboratory, University of Pittsburgh. SMILE reasoning engine for graphical probabilistic model (2008), http://dsl.sis.pitt.edu

  11. Domingos, P., Pazzani, M.: On the optimality of the simple Bayesian classifier under zero-one loss. Machine Learning 29(2-3), 103–130 (1997)

    Article  MATH  Google Scholar 

  12. Hernan, S.V.: ‘phf’ CGI script fails to guard against newline characters. CERT/CC; Internet (January 2001), http://www.kb.cert.org/vuls/id/20276

  13. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, p. 14. IEEE Computer Society, Los Alamitos (2003)

    Chapter  Google Scholar 

  14. Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation. Advances in Information Security, vol. 14. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  15. Marty, R.: Thor - a tool to test intrusion detection systems by variations of attacks. Master’s thesis, Swiss Federal Institute of Technology (ETH), Institut für Technische Informatik und Kommunikationsnetze (TIK), Zurich, Switzerland (2002), http://www.raffy.ch/projects/ids/thor.ps.gz

  16. Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of Chronicles. In: Vigna, G., Jonsson, E., Kruegel, C. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Google Scholar 

  17. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  18. Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Swets, J.A.: Measuring the accuracy of diagnostic systems. Science 240(4857), 1285–1293 (1988)

    Article  MathSciNet  Google Scholar 

  20. Tombini, E., Debar, H., Mé, L., Ducassé, M.: A serial combination of anomaly and misuse IDSes applied to HTTP traffic. In: ACSAC 2004: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004). IEEE Computer Society, Los Alamitos (2004)

    Google Scholar 

  21. Yu, D., Frincke, D.: Improving the quality of alerts and predicting intruder’s next goal with hidden colored petri-net. Comput. Netw. 51(3), 632–654 (2007)

    Article  MATH  Google Scholar 

  22. Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about complementary intrusion evidence. In: ACSAC 2004: Proceedings of the 20th Annual Computer Security Applications Conference, Washington, DC, USA, pp. 39–48. IEEE Computer Society, Los Alamitos (2004)

    Google Scholar 

  23. Zhou, J., Heckman, M., Reynolds, B., Carlson, A., Bishop, M.: Modeling network intrusion detection alerts for correlation. ACM Trans. Inf. Syst. Secur. 10(1), 4 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Magnus Almgren & Erland Jonsson

  2. Computer Science Laboratory, SRI International, 333 Ravenswood Ave, Menlo Park, CA 94025, USA

    Ulf Lindqvist

Authors
  1. Magnus Almgren
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ulf Lindqvist
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Erland Jonsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Almgren, M., Lindqvist, U., Jonsson, E. (2008). A Multi-Sensor Model to Improve Automated Attack Detection. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation