Abstract
Intrusion Detection Systems (IDS) are very important tools for network monitoring. However, they often produce a large quantity of alerts. The security operator who analyses IDS alerts is quickly overwhelmed. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper, we propose a new approach for logical based alert correlation which integrates the security operator’s knowledge and preferences in order to present to him only the most suitable alerts. The representation and the reasoning on these knowledge and preferences are done using a new logic called Instantiated First Order Qualitative Choice Logic (IFO-QCL). Our modeling shows an alert as an interpretation which allows us to have an efficient algorithm that performs the correlation process in a polynomial time. Experimental results are achieved on data collected from a real system monitoring. The result is a set of stratified alerts satisfying the operators criteria.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, J.: Computer security threat monitoring and surveillance. Technical report. James P. Anderson Company, Fort Washington, Pennsylvania (April 1980)
Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report No 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden (March 2000)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Recent Advances in Intrusion Detection Systems 34(4), 571–577 (2000)
Chifflier, P., Tricaud, S.: Intrusion Detection Systems Correlation: a Weapon of Mass Investigation, CanSecWest, Vancouver (March 2008)
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proc. 17th Computer Security Applications Conference, pp. 22–31 (December 2001)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6(4), 443–471 (2003)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: an attack language for state-based intrusion Detection. Journal of Computer Security 10(1-2), 71–103 (2002)
Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202 ( May 2002)
Ning, P., Cui, Y., Reeves, S.: Constructing attack scenarios through correlation of intrusion alerts. In: CCS 2002: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. ACM, New York (2002)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: NSPW 2000: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 31–38. ACM, New York (2000)
Benferhat, S., Kenaza, T., Mokhtari, A.: A Naive Bayes Approach for Detecting Coordinated Attacks. In: COMPSAC 2008, pp. 704–709 (July-August 2008)
Benferhat, S., Sedki, K.: Two alternatives for handling preferences in qualitative choice logic. Fuzzy Sets and Systems Journal (FSS 2008) 159(15), 1889–1912 (2008)
Brewka, G., Benferhat, S., Le Berre, D.: Qualitative Choice Logic. Artificial Intelligence Journal (AIJ) 157(1-2), 203–237 (2004)
Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 22–31 (October 2001)
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 85–103 (October 2001)
Qin, X., Lee, W.: Attack Plan Recognition and Prediction Using Causal Networks. In: ACSAC 2004, pp. 370–379 (2004)
Geib, C., Goldman, R.: Plan Recognition in Intrusion Detection Systems. In: Proceeding of DARPA Information Survivability Conference and Exposition (DISCEX), vol. 1, pp. 46–55 (June 2001)
Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF), Network Working Group, Request for Comments (RFC): 4765, Category: Experimental, SecureWorks, Inc. (March 2007)
Ranum, M.J.: False Positives: A Users Guide to Making Sense of IDS Alarms, ICSA Labs IDSC, white paper (2003)
Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert Prioritization in Intrusion Detection Systems. In: The 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), pp. 33–40 (April 2008)
Tabia, K., Benferhat, S., Leray, P., Me, L.: Alert correlation in intrusion detection: Combining AI-based approaches for exploiting security operators knowledge and preferences. In: Association for the Advancement of Artificial Intelligence (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Bouzar-Benlabiod, L., Benferhat, S., Bouabana-Tebibel, T. (2013). A New Approach for QCL-Based Alert Correlation Process. In: Amine, A., Otmane, A., Bellatreche, L. (eds) Modeling Approaches and Algorithms for Advanced Computer Applications. Studies in Computational Intelligence, vol 488. Springer, Cham. https://doi.org/10.1007/978-3-319-00560-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-00560-7_17
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-00559-1
Online ISBN: 978-3-319-00560-7
eBook Packages: EngineeringEngineering (R0)