article

Techniques and tools for analyzing intrusion alerts

Authors:

Douglas S. Reeves,

Dingbang XuAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 7, Issue 2

Pages 274 - 318

https://doi.org/10.1145/996943.996947

Published: 01 May 2004 Publication History

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a sequence of techniques to address this issue. The first technique constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, the proposed method correlates alerts by (partially) matching the consequences of some prior alerts with the prerequisites of some later ones. Moreover, to handle large collections of alerts, this paper presents a set of interactive analysis utilities aimed at facilitating the investigation of large sets of intrusion alerts. This paper also presents the development of a toolkit named TIAA, which provides system support for interactive intrusion analysis. This paper finally reports the experiments conducted to validate the proposed techniques with the 2000 DARPA intrusion detection scenario-specific datasets, and the data collected at the DEFCON 8 Capture the Flag event.

References

[1]

Agrawal, R., Imielinski, T., and Swami, A. N. 1993. Mining association rules between sets of items in large databases. In Proceedings of the 1993 International Conference on Management of Data. 207--216.]]

[2]

Anderson, J. P. 1980. Computer security threat monitoring and surveillance. Tech. rep., James P. Anderson Co., Fort Washington, PA.]]

[3]

AT&T Research Labs. GraphViz---Open Source Graph Layout and Drawing Software. Available at http://www.research.att.com/sw/tools/graphviz/.]]

[4]

Bace, R. 2000. Intrusion Detection. Macmillan Technology Publishing.]]

[5]

Cui, Y. 2002. A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks. M.S. thesis, North Carolina State University. Available at http://www.lib.ncsu.edu/ theses/available/etd-12052002-193803/.]]

[6]

Cuppens, F. 2001. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference.]]

[7]

Cuppens, F. and Miege, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy.]]

[8]

Cuppens, F. and Ortalo, R. 2000. LAMBDA: A language to model a database for detection of attacks. In Proceedings of the Recent Advances in Intrusion Detection (RAID 2000). 197--216.]]

[9]

Curry, D. and Debar, H. 2001. Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Internet Draft, draft-ietf-idwg-idmef-xml-03.txt.]]

[10]

Dain, O. and Cunningham, R. 2001. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. 1--13.]]

[11]

Debar, H. and Wespi, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 2212. 85--103.]]

[12]

Defcon. 2000. DEFCON Capture the Flag (CTF) contest. Available at http://www.defcon.org/html/defcon-8-post.html. Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/.]]

[13]

Eckmann, S., Vigna, G., and Kemmerer, R. 2002. STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10, 1/2, 71--104.]]

[14]

Gardner, R. and Harle, D. 1998. Pattern discovery and specification translation for alarm correlation. In Proceedings of Network Operations and Management Symposium (NOMS '98). 713--722.]]

[15]

Gruschke, B. 1998. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management.]]

[16]

Ilgun, K., Kemmerer, R. A., and Porras, P. A. 1995. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. Softw. Eng. 21, 3, 181--199.]]

[17]

Internet Security Systems. RealSecure intrusion detection system. Available at http://www. iss.net.]]

[18]

Javits, H. and Valdes, A. 1993. The NIDES Statistical Component: Description and Justification. Tech. rep., SRI International, Computer Science Laboratory.]]

[19]

Jha, S., Sheyner, O., and Wing, J. 2002. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop.]]

[20]

Julisch, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC). 12--21.]]

[21]

Kumar, S. 1995. Classification and Detection of Computer Intrusions. Ph.D. thesis, Purdue University.]]

[22]

Kumar, S. and Spafford, E. H. 1994. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference. 11--21.]]

[23]

Lin, J., Wang, X. S., and Jajodia, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop, Rockport, MA. 190--201.]]

[24]

Manganaris, S., Christensen, M., Zerkle, D., and Hermiz, K. 2000. A data mining analysis of RTID alarms. Comput. Netw. 34, 571--577.]]

[25]

MIT Lincoln Lab. 2000. 2000 DARPA Intrusion Detection Scenario-Specific Datasets. Available at http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.]]

[26]

Morin, B., Mé, L., Debar, H., and Ducassé, M. 2002. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 115--137.]]

[27]

Mukherjee, B., Heberlein, L. T., and Levitt, K. N. 1994. Network intrusion detection. IEEE Netw. 8, 3 (May), 26--41.]]

[28]

Ning, P., Cui, Y., and Reeves, D. S. 2002a. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland. 74--94.]]

[29]

Ning, P., Cui, Y., and Reeves, D. S. 2002b. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC. 245--254.]]

[30]

Ning, P., Jajodia, S., and Wang, X. S. 2001. Abstraction-based intrusion detection in distributed environments. ACM Trans. Inf. Syst. Secur. 4, 4 (Nov.), 407--452.]]

[31]

Porras, P., Fong, M., and Valdes, A. 2002. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 95--114.]]

[32]

Ricciulli, L. and Shacham, N. 1997. Modeling correlated alarms in network management systems. In Western Simulation Multiconference.]]

[33]

Ritchey, R. and Ammann, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of IEEE Symposium on Security and Privacy. 156--165.]]

[34]

Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. 2002. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy.]]

[35]

Staniford, S., Hoagland, J., and McAlerney, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 1/2, 105--136.]]

[36]

Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., and Zerkle, D. 1996. GrIDS---A graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, Vol. 1. 361--370.]]

[37]

Templeton, S. and Levitt, K. 2000. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop. ACM Press, 31--38.]]

[38]

Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection (RAID 2001). 54--68.]]

[39]

Vigna, G. and Kemmerer, R. A. 1999. NetSTAT: A network-based intrusion detection system. J. Comput. Secur. 7, 1, 37--71.]]

[40]

Xerces2 Java Parser. Available at http://xml.apache.org/xerces2-j/index.html.]]

Cited By

Ding ZWang Y(2024)Multi-step attack threat recognition algorithm based on attribute association in internet of things securityWireless Networks10.1007/s11276-022-02940-y30:5(4275-4286)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s11276-022-02940-y
Zhang JFeng HLiu BZhao D(2023)Survey of Technology in Network Security Situation AwarenessSensors10.3390/s2305260823:5(2608)Online publication date: 27-Feb-2023
https://doi.org/10.3390/s23052608
Wang JDeng GCai RWu YFeng H(2023)Research on university network security situation assessment modelInternational Conference on Computer Network Security and Software Engineering (CNSSE 2023)10.1117/12.2683181(23)Online publication date: 26-Jun-2023
https://doi.org/10.1117/12.2683181
Show More Cited By

Index Terms

Techniques and tools for analyzing intrusion alerts
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Modeling network intrusion detection alerts for correlation

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security ...
Constructing attack scenarios through correlation of intrusion alerts
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...
Analyzing intensive intrusion alerts via correlation
RAID'02: Proceedings of the 5th international conference on Recent advances in intrusion detection

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 7, Issue 2

May 2004

158 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/996943

Issue’s Table of Contents

Copyright © 2004 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2004

Published in TISSEC Volume 7, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

184
Total Citations
View Citations
4,806
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)2

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ding ZWang Y(2024)Multi-step attack threat recognition algorithm based on attribute association in internet of things securityWireless Networks10.1007/s11276-022-02940-y30:5(4275-4286)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s11276-022-02940-y
Zhang JFeng HLiu BZhao D(2023)Survey of Technology in Network Security Situation AwarenessSensors10.3390/s2305260823:5(2608)Online publication date: 27-Feb-2023
https://doi.org/10.3390/s23052608
Wang JDeng GCai RWu YFeng H(2023)Research on university network security situation assessment modelInternational Conference on Computer Network Security and Software Engineering (CNSSE 2023)10.1117/12.2683181(23)Online publication date: 26-Jun-2023
https://doi.org/10.1117/12.2683181
Chen SLin DXie ZWang H(2023)Temporal-Gated Graph Neural Network with Graph Sampling for Multi-step Attack Detection2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00172(1266-1271)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00172
Kholidy HBerrouachedi ABenkhelifa EJaziri R(2023)Enhancing Security in 5G Networks: A Hybrid Machine Learning Approach for Attack Classification2023 20th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA59173.2023.10479294(1-8)Online publication date: 4-Dec-2023
https://doi.org/10.1109/AICCSA59173.2023.10479294
Alhaj TSiraj MZainal AIdris INazir AElhaj FDarwish T(2023)An effective attack scenario construction model based on identification of attack steps and stagesInternational Journal of Information Security10.1007/s10207-023-00701-222:5(1481-1496)Online publication date: 28-May-2023
https://dl.acm.org/doi/10.1007/s10207-023-00701-2
Albasheer HMd Siraj MMubarakali AElsier Tayfour OSalih SHamdan MKhan SZainal AKamarudeen S(2022)Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A SurveySensors10.3390/s2204149422:4(1494)Online publication date: 15-Feb-2022
https://doi.org/10.3390/s22041494
Li QLong HXu ZHou JCai J(2022)A threat recognition solution of edge data security in industrial internetWorld Wide Web10.1007/s11280-022-01054-x25:5(2109-2138)Online publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1007/s11280-022-01054-x
Heigl MWeigelt EUrmann AFiala DSchramm M(2021)Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming DataElectronics10.3390/electronics1017216010:17(2160)Online publication date: 4-Sep-2021
https://doi.org/10.3390/electronics10172160
Hwang JShwartz LWang QBatta RKumar HNidd MEldh SFalessi D(2021)FIXMEProceedings of the 43rd International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP52600.2021.00032(228-237)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1109/ICSE-SEIP52600.2021.00032
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents