Fusing A Heterogeneous Alert Stream Into Scenarios

Dain, Oliver; Cunningham, Robert K.

doi:10.1007/978-1-4615-0953-0_5

Oliver Dain³ &
Robert K. Cunningham³

Part of the book series: Advances in Information Security ((ADIS,volume 6))

621 Accesses
33 Citations

Abstract

An algorithm for fusing the alerts produced by multiple heterogeneous intrusion detection systems is presented. The algorithm runs in real-time, combining the alerts into scenarios; each is composed of a sequence of alerts produced by a single actor or organization. The software is capable of discovering scenarios even if stealthy attack methods, such as forged IP addresses or long attack latencies, are employed. The algorithm generates scenarios by estimating the probability that a new alert belongs to a given scenario. Alerts are then added to the most likely candidate scenario. Two alternative probability estimation techniques are compared to an algorithm that builds scenarios using a set of rules. Both probability estimate approaches make use of training data to learn the appropriate probability measures. Our algorithm can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios.

This work was sponsored by the Department of Defense under Air Force contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Air Force.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

DCO N8 conference.LasVegas,NV,2000http://www.defcon.org
Google Scholar
E. Amoroso. Intrusion Detection. Intrusion.Net Books, Sparta, New Jersey, 1999.
Google Scholar
L. Breiman, J. H. Friedman, R. A. Olshen, and C. J. Stone. Classification and Regression Trees. Wadsworth, Inc., Belmont, California, 1984.
Google Scholar
C. Clifton and G. Gengo. Developing custom intrusion detection filters using data mining. In 2000 Military Communications International Symposium, Los Angeles, CA, October 2000.
Google Scholar
T. Coleman, M. A. Branch, and A. Grace. Optimization Toolbox for Use with MATLAB. The MathWorks, Inc., 1999.
Google Scholar
R. K. Cunningham, R. P. Lippmann, D. Kassay, S. E. Webster, and M. A. Zissman. Host-based bottleneck verification efficiently detects novel computer attacks. In IEEE Military Communications Conference Proceedings, Atlantic City, NJ, 1999.
Google Scholar
O. M. Dain and R. K. Cunningham. Building scenarios from a heterogeneous alert stream. In Proceedings of the IEEE SMC Information Assurance Workshop, West Point, NY. June 2001.
Google Scholar
B. S. Feinstein and G. A. Matthews. The Intrusion Detection Exchange Protocol (IDXP), August http://www.ietf.org 2001
Google Scholar
P. S. Ford, Y. Rekhter, and H.-W. Braun. Improving the routing and addressing of IP. IEEE Network, 7(3):10–15, May 1993.
Article Google Scholar
J. Haines, L. Rossey, and R. Lippmann. Extending the 1999 evaluation. In DISCEX Proceedings, June 2001.
Google Scholar
Internet Security Systems. RealSecure console user guide. Atlanta, GA, http://www.iss.net
Google Scholar
R. P. Lippman, L. Kukolich, et al. LNKnet: Neural network, machine learning, and statistical software for pattern classification. Lincoln Laboratory Journal, 6(2):249–268, 1993.
Google Scholar
T. M. Mitchell. Machine Learning. McGraw-Hill, 1997.
Google Scholar
J. Schwartz. Hacker defaces pro-israel web site as the mideast conflict expands into cyberspace. The New York Times, November 3, 2000.
Google Scholar
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDSa graph based intrusion detection system for large networks. In 19th National Information Systems Security Conference Proceedings, pages 361–370, October 1996.
Google Scholar
A. Valdes and K. Skinner. An approach to sensor correlation. In Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000.
Google Scholar
S. Vasile. Automated intrusion detection environment (AIDE). In Joint Aerospace Weapon Systems Sup-port,Sensors,and Simulation Proceedings,June 2000.
Google Scholar
B. J. Wood and R. A. Duggan. Red teaming of advanced information assurance concepts. In DISCEX 2000, Hilton Head, South Carolina, January 2000.
Google Scholar

Download references

Author information

Authors and Affiliations

Massachusetts Institute of Technology, Lincoln Laboratory, USA
Oliver Dain & Robert K. Cunningham

Authors

Oliver Dain
View author publications
You can also search for this author in PubMed Google Scholar
Robert K. Cunningham
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

George Mason University, USA
Daniel Barbará & Sushil Jajodia &

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Dain, O., Cunningham, R.K. (2002). Fusing A Heterogeneous Alert Stream Into Scenarios. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_5

Download citation

DOI: https://doi.org/10.1007/978-1-4615-0953-0_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5321-8
Online ISBN: 978-1-4615-0953-0
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics