Reasoning about complementary intrusion evidence (2004) [3 citations — 0 self]

Download:

by Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves

In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC ’04

http://discovery.csc.ncsu.edu/~pning/pubs/acsac04a.pdf

Add To MetaCart

Popular Tags

No tags have been applied to this document.

BibTeX | Add To MetaCart

@INPROCEEDINGS{Zhai04reasoningabout,
    author = {Yan Zhai and Peng Ning and Purush Iyer and Douglas S. Reeves},
    title = {Reasoning about complementary intrusion evidence},
    booktitle = {In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC ’04},
    year = {2004}
}

Abstract:

This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks. 1.

Citations

431	Snort- lightweight intrusion detection for networks – Roesch - 1978
94	Alert correlation in a cooperative intrusion detection framework – Cuppens, Miege - 2002
88	Practical automated detection of stealthy portscans – Staniford, Hoagland, et al. - 2000
85	Automated Generation and Analysis of Attack Graphs – Sheyner, Haines, et al. - 2002
84	Probabilistic alert correlation – Valdes, Skinner
73	STATL: An Attack Language for State-based Intrusion Detection – Eckmann, Vigna, et al.
70	and Andreas Wespi: “Aggregation and correlation of IntrusionDetection Alerts – Debar - 2001
63	Constructing Attack Scenarios through Correlation of Intrusion Alerts – Ning, Cui, et al. - 2002
60	A requires/provides model for computer attacks – Templeton, Levitt - 2000
51	LAMBDA: A language to model a database for detection of attacks – Cuppens, Ortalo - 2000
43	Managing alerts in a multi-intrusion detection environment – Cuppens - 2001
38	Graph-Based Network Vulnerability Analysis – Ammann, Wijesekera, et al. - 2002
38	M2D2 : A Formal Data Model for IDS Alert Correlation – Morin, Mé, et al. - 2002
36	Bayesian Networks and Decision Graphs. Statistics for Engineering and Information Science – Jensen - 2001
35	A Mission-Impact-Based approach to INFOSEC alarm correlation – Porras, Fong, et al. - 2002
32	Fusing a heterogeneous alert stream into scenarios – Dain, Cunningham - 2001
30	Mining Intrusion Detection Alarms for Actionable Knowledge – Julisch, Dacier - 2002
28	Mining Alarm Clusters to Improve Alarm Handling Efficiency – Julisch - 2001
17	Building Scenarios from a Heterogenous Alert Stream – Dain, Cunningham - 2001
17	2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ ideval/data/2000/2000 data index.html – Lab - 2000
14	SATAN: Security Administrator's Tool for Analyzing Networks, http://www.fish.com/~zen/satan/satan.html – Farmer, Venema - 1995
8	Building Attack Scenarios through Integration of Complementary Alert Methods – Healey, Amant - 2004
7	Nmap free security scanner. http://www.insecure.org/nmap – Fyodor - 2003

View or Download | Add to My Collection | Correct Errors