Skip to main content
SpringerLink
Log in

Integrating IDS Alert Correlation and OS-Level Dependency Tracking

  • Conference paper
Intelligence and Security Informatics (ISI 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3975))

Included in the following conference series:

Abstract

Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. However, the performance of correlation is undermined by the imperfectness of intrusion detection techniques. Falsely correlated alerts can be misleading to analysis. This paper presents a practical technique to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking. With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The paper also discusses the application of such integration in improving the accuracy of hypotheses about possibly missed attacks while reducing the complexity of the hypothesizing process. A series of experiments are performed to evaluate the effectiveness of the methods, and the results demonstrate significant improvements on correlation results with the proposed techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bleedingsnort, http://www.bleedingsnort.com

  2. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM CCS (2002)

    Google Scholar 

  3. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (December 2001)

    Google Scholar 

  4. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002)

    Google Scholar 

  5. Dain, O., Cunningham, R.: Building scenarios from a heterogeneous alert stream. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (June 2001)

    Google Scholar 

  6. Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (November 2001)

    Google Scholar 

  7. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. King, S., Chen, P.: Backtracking intrusions. In: Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP) (October 2003)

    Google Scholar 

  9. King, S., Mao, Z., Lucchetti, D., Chen, P.: Enriching intrusion alerts through multi-host causality. In: Proceedings of the 12th NDSS (2005)

    Google Scholar 

  10. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for IDS alert correlation. In: Proceedings of RAID 2002 (2002)

    Google Scholar 

  11. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM CCS (2002)

    Google Scholar 

  12. Ning, P., Xu, D., Healey, C., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), February 2004, pp. 97–111 (2004)

    Google Scholar 

  13. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 95. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  14. Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, pp. 31–38. ACM Press, New York (2000)

    Chapter  Google Scholar 

  15. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54–68 (2001)

    Google Scholar 

  16. Zhai, Y., Ning, P., Iyer, P., Reeves, D.: Reasoning about complementary intrusion evidence. In: Proceedings of the 20th Annual Computer Security Applications Conference (December 2004)

    Google Scholar 

  17. Zhai, Y., Ning, P., Xu, J.: Integrating IDS alert correlation and OS-level depdendency tracking. Technical Report TR-2005-27, Department of Computer Science, North Carolina State University (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. North Carolina State University,  

    Yan Zhai, Peng Ning & Jun Xu

Authors
  1. Yan Zhai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peng Ning
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jun Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information and Computer Science, University of California, Irvine

    Sharad Mehrotra

  2. MIS Department, University of Arizona, 85721, Tucson, AZ, USA

    Daniel D. Zeng

  3. Department of Management Information Systems, Eller College of Management, The University of Arizona, 85721, AZ, USA

    Hsinchun Chen

  4. University of Texas at Dallas,  

    Bhavani Thuraisingham

  5. Chinese Academy of Sciences, 100190, Beijing, China

    Fei-Yue Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhai, Y., Ning, P., Xu, J. (2006). Integrating IDS Alert Correlation and OS-Level Dependency Tracking. In: Mehrotra, S., Zeng, D.D., Chen, H., Thuraisingham, B., Wang, FY. (eds) Intelligence and Security Informatics. ISI 2006. Lecture Notes in Computer Science, vol 3975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11760146_24

Download citation

  • DOI: https://doi.org/10.1007/11760146_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34478-0

  • Online ISBN: 978-3-540-34479-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation