Skip to main content
Springer Nature Link
Log in

Analyzing Intensive Intrusion Alerts via Correlation

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Included in the following conference series:

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Several complementary alert correlation methods have been proposed to address this problem. As one of these methods, we have developed a framework to correlate intrusion alerts using prerequisites of intrusions. In this paper, we continue this work to study the feasibility of this method in analyzing real-world, intensive intrusions. In particular, we develop three utilities (called adjustable graph reduction, focused analysis, and graph decomposition) to facilitate the analysis of large sets of correlated alerts. We study the effectiveness of the alert correlation method and these utilities through a case study with the network traffic captured at the DEF CON 8 Capture the Flag (CTF) event. Our results show that these utilities can simplify the analysis of large amounts of alerts, and also reveals several attack strategies that were repeatedly used in the DEF CON 8 CTF event.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Javits, H., Valdes, A.: The NIDES statistical component: Description and justification. Technical report, SRI International, Computer Science Laboratory (1993)

    Google Scholar 

  2. Vigna, G., Kemmerer, R.A.: NetSTAT: A network-based intrusion detection system. Journal of Computer Security 7 (1999) 37–71

    Google Scholar 

  3. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). (2001) 54–68

    Google Scholar 

  4. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Recent Advances in Intrusion Detection. LNCS 2212 (2001) 85–103

    Chapter  Google Scholar 

  5. Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. (2001) 1–13

    Google Scholar 

  6. Ning, P., Reeves, D.S., Cui, Y.: Correlating alerts using prerequisites of intrusions. Technical Report TR-2001-13, North Carolina State University, Department of Computer Science (2001)

    Google Scholar 

  7. Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Technical Report TR-2002-01, North Carolina State University, Department of Computer Science (2002)

    Google Scholar 

  8. MIT Lincoln Lab: 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000dataindex.html (2000)

  9. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34 (2000) 571–577

    Article  Google Scholar 

  10. DEFCON: Def con capture the flag (CTF) contest. http://www.defcon.org/html/defcon-8-post.html (2000) Archive accessible at http://wi2600.org/mediawhore/mirrors/shmoo/.

  11. Bace, R.: Intrusion Detection. Macmillan Technology Publishing (2000)

    Google Scholar 

  12. Staniford, S., Hoagland, J., McAlerney, J.: Practical automated detection of stealthy portscans. To appear in Journal of Computer Security (2002)

    Google Scholar 

  13. Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, ACM Press (2000) 31–38

    Google Scholar 

  14. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. (2002)

    Google Scholar 

  15. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS-a graph based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference. Volume 1.(1996) 361–370

    Google Scholar 

  16. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering 21 (1995) 181–199

    Article  Google Scholar 

  17. Cuppens, F., Ortalo, R.: Lambda: A language to model a database for detection of attacks. In: Proc. of Recent Advances in Intrusion Detection (RAID 2000). (2000) 197–216

    Google Scholar 

  18. Lin, J., Wang, X.S., Jajodia, S.: Abstraction-based misuse detection: High-level specifications and adaptable strategies. In: Proceedings of the 1 1th Computer Security Foundations Workshop, Rockport, MA (1998) 190–201

    Google Scholar 

  19. Ning, P., Jajodia, S., Wang, X.S.: Abstraction-based intrusion detection in distributed environments. ACM Transactions on Information and System Security 4 (2001) 407–452

    Article  Google Scholar 

  20. Gruschke, B.: Integrated event management: Event correlation using dependency graphs. In: Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management. (1998)

    Google Scholar 

  21. Ricciulli, L., Shacham, N.: Modeling correlated alarms in network management systems. In: In Western Simulation Multiconference. (1997)

    Google Scholar 

  22. Gardner, R., Harle, D.: Pattern discovery and specification translation for alarm correlation. In: Proceedings of Network Operations and Management Symposium (NOMS’98). (1998) 713–722

    Google Scholar 

  23. ISS, Inc.: RealSecure intrusion detection system. (http://www.iss.net)

  24. AT & T Research Labs: Graphviz-open source graph layout and drawing software. (http://www.research.att.com/sw/tools/graphviz/)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, North Carolina State University, Raleigh, NC, 27695-7534

    Peng Ning, Yun Cui & Douglas S. Reeves

Authors
  1. Peng Ning
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yun Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Douglas S. Reeves
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstraße 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

  2. Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Giovanni Vigna

  3. Centro Serra, University of Pisa, Lungarno Pacinotti 43, 56100, Pisa, Italy

    Luca Deri

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ning, P., Cui, Y., Reeves, D.S. (2002). Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_5

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics