&nbsp;An alert correlating algorithm based on multi- step attack path graphs : MSACA <br><br>

PDF(664714 KB)

Journal of Nanjing University(Natural Sciences) ›› 2010, Vol. 46 ›› Issue (1) : 56-63.

An alert correlating algorithm based on multi- step attack path graphs : MSACA

L iu Zhi - J ie , Wang Chong -J un

Author information +

History +

Abstract

For the last years intrusion detection system ( IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act , be it reporting
to the user or taking certain actions automatically. The traditional IDS , however , is defective in that it deals with the detected abnormal activites only individually , bringing serious problems , classical ones of which include
massively false alarms and massively repeated low -level alarms. An even more serious problem of the traditional IDS is that it is not effective , if not uselell , when the many individually detected abnormal activites are correlated
components of a multi - step indepth intrusion , which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect , this paper proposes a method called MSACA(multi - step
attack correlating algorithm) . As a prerequisite of the method , a knowledge database is provided. The knowledge database composes of the structures of known multi - step correlating attack , meaning that given certain low - level
abnormal activites , through the database , we can get information regarding to what kinds of multi - step correlatingattacks the given low - level alarms may be part of as well as to which stage they belong. The proposed method firstly
gets the needed information of the low - level alarms from the database , secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole , and finally takes counter measures. The proposed
method can be implemented in realtime scenarios. This paper also proves the proposed method’s effectiveness by experiments.

Cite this article

EndNote

Ris (Procite)

Bibtex

Download Citations

L iu Zhi - J ie , Wang Chong -J un . An alert correlating algorithm based on multi- step attack path graphs : MSACA

[J]. Journal of Nanjing University(Natural Sciences), 2010, 46(1): 56-63

References

[ 1 ] 　 Anderson J P. Computer security threat moni -toring and surveillance. Technical Report. Fort Washington , Pennsylvania : 1980.
[ 2 ] 　 Debar H , Wespi A. Aggregation and correla -tion of Intrusion Detection Alerts. Proceedings of the 4 th International Symposium on Recent Advances in Intrusion Detection ( RAID ) , 2001 , 2212 : 85 ～ 103.
[ 3 ] 　 Dain O , Cunningham R. Building scenarios from a heterogeneous alert system. Proceedings of the 2001 IEEE Workshop on Information As -surance and Security , 2001 , 231 ～ 235.
[ 4 ] 　 Porras P A , Neumann P G. EMERALD: Event monitoring enabling responses to anomalous live disturbances. Proceedings of the 20 th National Information Systems Security Conference , 1997 , 353 ～ 363
[ 5 ] 　 Valdes A , Skinner K. Probabilistic alert corre -ation. Proceedings of the 4 th International Sym -posium on Recent Advances in Intrusion Detec -ion , 2001 , 2212 : 54 ～ 68.
[ 6 ] 　 Cuppens F , Mieqe A. Alert correlation in coop -erative intrusion detection framework. Proceed -ings of the 2002 IEEE Symposium on Security and Privacy , 2002 , 202 ～ 215.
[ 7 ] 　 Cuppens F , Autrel F , Miege A , et al . Recog -nizing malicious intention in an intrusion detec -tion process. Proceedings of the -nd Internation -al Conference on Hybrid Intelligent Systems , 2002 , 806 ～ 817.
[ 8 ] 　 Ning P , Cui Y, Reeves D S. Constructing at - tack scenarios through correlation of intrusion alerts. Proceedings of the 9 th ACM Conference on Computer and Communications Security , 2002 , 245 ～ 254.
[ 9 ] 　 Ning P , Xu D B , Christopher G, et al . Build -ng attack scenarios through integration of com -plementary alert correlation methods. Proceed -ings of the 11 th Annual Network and Distributed System Security Symposium , 2004 , 97 ～ 111.
[10] 　 Ning P , Cui Y, Reeves D S , et al . Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Securi -ty , 2004 , 7(2) : 274 ～ 318.
[11] 　 Huang M Y, Wicks T M. A large -scale distrib-uted intrusion detection framework based on at-tack strategy analysis. The International Journal of Computer and Telecommunications Networ -king , 1999 , 2465 ～ 2475.
[12] 　 Bao X H , Dai Y X, Feng P H , et al . A detec -tion and forecase algorithm for multi -step attack based on intrusion intention. Journal of Soft -ware , 2005 , 16(12) : 2132 ～ 2138. ( 鲍旭华 , 戴
英侠 , 冯萍慧等 . 基于入侵意图的复合攻击检测和预测算法 , 软件学报 , 2005 , 16 (212) : 2132 ～ 2138) .
[13] 　 MIT Lincoln Lab. 2000 DARPA intrusion de -tection scenario specific datasets. http :/ / www. ll. mit. edu/ IST/ ideval/ data/ 2000/ 2000 - data - index. html , 2000.
[14] 　 Long J , Yin J P , Zhu E , et al . Cost- sensitive active learning algorithm for intrusion detection. Journal of Nanjing University ( Natural Sci -ences) , 2008 , 44(5) : 527 ～ 535. ( 龙　军 , 殷建
平 , 祝　恩等 . 针对入侵检测的代价敏感主动学习算法 . 南京大学学报 ( 自然科学 ) , 2008 , 44(5) : 527 ～ 535) .