Constructing attack scenarios through correlation of intrusion alerts

Ning, Peng; Cui, Yun; Reeves, Douglas S.

doi:10.1145/586110.586144

Cited by 308 publications

(194 citation statements)

References 19 publications

Supporting

Mentioning

191

Contrasting

Unclassified

Order By: Relevance

“…The general approach for correlating aspects of behaviour observed by various sensors is based on ideas presented by Strayer et al [27], Oliner et al [17] and Flaglien et al [4], which extend older proposals made by Cuppens & Miège [3] and Ning et al [16] for correlation of alerts in IDS systems. Using these or similar concepts, several authors have proposed botnet detection systems that correlate alerts from several detection entities.…”

Section: Collaborative Botnet Detectionmentioning

confidence: 99%

A Collaborative Approach to Botnet Protection

Stevanovic

Revsbech

Pedersen

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Botnets are collections of compromised computers which have come under the control of a malicious person or organisation via malicious software stored on the computers, and which can then be used to interfere with, misuse, or deny access to a wide range of Internet-based services. With the current trend towards increasing use of the Internet to support activities related to banking, commerce, healthcare and public administration, it is vital to be able to detect and neutralise botnets, so that these activities can continue unhindered. In this paper we present an overview of existing botnet detection techniques and argue why a new, composite detection approach is needed to provide efficient and effective neutralisation of botnets. This approach should combine existing detection efforts into a collaborative botnet protection framework that receives input from a range of different sources, such as packet sniffers, on-access anti-virus software and behavioural analysis of network traffic, computer sub-systems and application programs. Finally, we introduce ContraBot, a collaborative botnet detection framework which combines approaches that analyse network traffic to identify patterns of botnet activity with approaches that analyse software to detect items which are capable of behaving maliciously.

show abstract

Section: Collaborative Botnet Detectionmentioning

confidence: 99%

A Collaborative Approach to Botnet Protection

Stevanovic

Revsbech

Pedersen

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Schemes in this area can be classified under two basic groups: schemes that require patterns of actual attacks and/or alert interdependencies, and schemes that do not. Members of the first group include [11], [12], and [13]. Our proposed framework, can be classified as part of the first group.…”

Section: Related Workmentioning

confidence: 99%

“…In [11], the authors present a formal framework for alert correlation that constructs attack graphs by correlating individual alerts on the basis of the prerequisites and consequences manually associated to each alert. [12] presents techniques to learn attack strategies from correlated attack graphs.…”

Section: Related Workmentioning

confidence: 99%

Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems

Modelo-Howard

Sweval

Bagchi

2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Current attacks to distributed systems involve multiple steps, due to attackers usually taking multiple actions to achieve their goals. Such attacks are called multi-stage attacks and have the ultimate goal to compromise a critical asset for the victim. An example would be compromising a web server, then achieve a series of intermediary steps (such as compromising a developer's box thanks to a vulnerable PHP module and connecting to a FTP server with gained credentials) to ultimately connect to a database where user credentials are stored. Current detection systems are not capable of analyzing the multi-step attack scenario. In this document we present a distributed detection framework based on a probabilistic reasoning engine that communicates to detection sensors and can achieve two goals: (1) protect the critical asset by detecting multi-stage attacks and (2) tune sensors according to the changing environment of the distributed system monitored by the distributed framework. As shown in the experiments, the framework reduces the number of false positives that it would otherwise report if it were only considering alerts from a single detector and the reconfiguration of sensors allows the framework to detect attacks that take advantage of the changing system environment.

show abstract

“…This work outlines a semi-automatic approach for reducing false positives in alarms by identifying the root causes with clustering of alerts by abstraction and then eliminating the root causes to reduce alarm overload. Ning et al proposes an alert correlation model based on prerequisites and consequences of intrusion [8]. With knowledge of prerequisites and consequences, the correlation model can correlate related alerts by matching the consequences of previous alerts with prerequisites of later ones and then hyper alert correlation graphs are used to represent the alerts.…”

Section: Related Workmentioning

confidence: 99%

“…Fig. 2 is an FCM that models the scenario described above for the DDoS attack using cause and effect types of events (the EEvents shown here are similar to the consequences of hyper alert types as in [8]). The FCM in this figure denotes that an IPSweep alert in the sensor report will generate an IPSweep CEvent, from which HostExits EEvent can be inferred.…”

Section: − Effect Events (Eevent)mentioning

confidence: 99%

A Cognitive Model for Alert Correlation in a Distributed Environment

Siraj¹,

Vaughn²

2005

Intelligence and Security Informatics

View full text Add to dashboard Cite

Abstract. The area of alert fusion for strengthening information assurance in systems is a promising research area that has recently begun to attract attention. Increased demands for "more trustworthy" systems and the fact that a single sensor cannot detect all types of misuse/anomalies have prompted most modern information systems deployed in distributed environments to employ multiple, diverse sensors. Therefore, the outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion will essentially combine alert prioritization, alert clustering and alert correlation. In this paper, we address the alert correlation aspect of sensor data fusion in distributed environments. A causal knowledge based inference technique with fuzzy cognitive modeling is used to correlate alerts by discovering causal relationships in alert data.

show abstract

Constructing attack scenarios through correlation of intrusion alerts

Cited by 308 publications

References 19 publications

A Collaborative Approach to Botnet Protection

A Collaborative Approach to Botnet Protection

Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems

A Cognitive Model for Alert Correlation in a Distributed Environment

Contact Info

Product

Resources

About