Abstract
We describe a mission-impact-based approach to the analysis of security alerts produced by spatially distributed heterogeneous information security (INFOSEC) devices, such as firewalls, intrusion detection systems, authentication services, and antivirus software. The intent of this work is to deliver an automated capability to reduce the time and cost of managing multiple INFOSEC devices through a strategy of topology analysis, alert prioritization, and common attribute-based alert aggregation. Our efforts to date have led to the development of a prototype system called the EMERALD Mission Impact Intrusion Report Correlation System, or M-Correlator. M-Correlator is intended to provide analysts (at all experience levels) a powerful capability to automatically fuse together and isolate those INFOSEC alerts that represent the greatest threat to the health and security of their networks.
Supported by DARPA through Air Force Research Laboratory, contract F30602-99-C-0187.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
D’ Ambrosio, B, M. Takikawa, D. Upper, J. Fitzgerald, and S. Mahoney, “Security Situation Assessment and Response Evaluation,” Proceedings (DISCEX II) DARPA Information Survivability Conference and Exposition, Anaheim, CA, Vol. I, June 2001.
D.W. Baker, S.M. Christey, W.H. Hill, and D.E. Mann, “The Development of a Common Enumeration of Vulnerabilities and Exposures,” Proceedings of the Second International Workshop on Recent Advances in Intrusion Detection (RAID), September 1999.
Bugtraq. Security Focus Online. http://online.securityfocus.com/archive/1
CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/
F. Cuppens, “Managing Alerts in a Multi-Intrusion Detection Environment,” Proceedings 17th Computer Security Applications Conference, New Orleans, LA, December 2001.
Common Vulnerabilities and Exposures. The MITRE Corporation. http://cve.mitre.org/
H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001.
G. Vigna, R.A. Kemmerer, and P. Blix, “Designing a Web of Highly-Configurable Intrusion Detection Sensors,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001. C.W. Geib and R.P Goldman, “Probabilistic Plan Recognition for Hostile Agents,” Proceedings of FLAIRS 2001 Special Session on Uncertainty-May 2001.
C. Kahn, P.A. Porras, S. Staniford-Chen, and B. Tung, “A Common Intrusion Detection Framework,” http://www.gidos.org.
K. Kendall, “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” Master’s Thesis, Massachusetts Institute of Technology, June 1999.
W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran, and S.J. Stolfo, “A Data Mining and CIDF-Based Approach for Detecting Novel and Distributed Intrusions”, Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.
D. Levin, Y. Tenney, and H. Henri, “Issues in Human Interaction for Cyber Command and Control,” Proceedings (DISCEX II) DARPA Information Survivability Conference and Exposition, Anaheim, CA, Vol. I, June 2001.
U. Lindqvist and P.A. Porras, “eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris,” Proceedings 17th Computer Security Applications Conference, New Orleans, LA, December 2001.
U. Lindqvist, D. Moran, P.A. Porras, and M. Tyson, “Designing IDLE: The Intrusion Detection Library Enterprise,” Proceedings 1998 International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium, September 1998.
NMAP Network Mapping tool. http://www.insecure.org/nmap/
Pearl, J. “Probabilistic Reasoning in Intelligent Systems,” Morgan-Kaufmann (1988).
L. Perrochon, E. Jang, and D.C. Luckham.: Enlisting Event Patterns for Cyber Battlefield Awareness. DARPA Information Survivability Conference & Exposition (DISCEX’00), Hilton Head, South Carolina, January 2000.
P.A. Porras and P.G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,” Proceedings National Information Systems Security Conference, NSA/NIST, Baltimore, MD, October 1997.
M. Roesch, “Lightweight Intrusion Detection for Networks,” Proceedings of the 13th Systems Adminstration Conference — LISA 1999, November, 1999.
Valdes and K. Skinner, “Adaptive, Model-based Monitoring for Cyber Attack Detection”, Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.
Valdes and K. Skinner, “Probabilistic Alert Correlation,” Proceedings 2001 International Workshop on Recent Advances in Intrusion Detection (RAID), Davis, CA, October 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Porras, P.A., Fong, M.W., Valdes, A. (2002). A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_6
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive