Abstract
Due to a false alert or mass alerts by current intrusion detection systems, the system administrators have difficulties in real-time analysis of an intrusion. In order to solve this problem, it has been studied to analyze the intrusion situation or correlation. However, the existing situation analysis method is grouping with the similarity of measures, and it makes hard to respond appropriately to an elaborate attack. Also, the result of the method is so abstract that the raw information before reduction must be analyzed to realize the intrusion. In this paper, we reduce the number of alerts using the aggregation and correlation and classify the alerts by IP addresses and attack types. Through this method, our tool can find a cunningly cloaked attack flow as well as general attack situation, and more, they are visualized. So an administrator can easily understand the correct attack flow.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 85. Springer, Heidelberg (2001)
Ning, P.: Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security 7(2), 274–318 (2004)
Moh, W., Kim, M., Cheong, I., Noh, B., Seo, J., Park, E., Park, C.: An Analysis on the Correlation of Network-based Alerts with Association Rule Algorithm. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 705–712. Springer, Heidelberg (2005)
Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabling Responses To Anomalous Live Disturbances. In: Proc. of the 20th National Information Systems Security Conference, pp. 1–13 (1997)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Insecure.Org, Bugtraq: Samba ’smbprint’ script tmpfile vulnerability, http://seclist.org/list/bugtraq/2004/Mar/0189.html
Yang, Y., Paxton, V.: Detecting Stepping Stones. In: USENIX Security Symposium (2000)
Beale, J., Foster, J., Posluns, J., Caswell, B.: Snort 2.0 Intrusion Detection, SynGress (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, M. et al. (2005). An Effective Method for Analyzing Intrusion Situation Through IP-Based Classification. In: Gervasi, O., et al. Computational Science and Its Applications – ICCSA 2005. ICCSA 2005. Lecture Notes in Computer Science, vol 3481. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11424826_24
Download citation
DOI: https://doi.org/10.1007/11424826_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25861-2
Online ISBN: 978-3-540-32044-9
eBook Packages: Computer ScienceComputer Science (R0)