Skip to main content
SpringerLink
Log in

A New Approach for QCL-Based Alert Correlation Process

  • Chapter
Modeling Approaches and Algorithms for Advanced Computer Applications

Part of the book series: Studies in Computational Intelligence ((SCI,volume 488))

Abstract

Intrusion Detection Systems (IDS) are very important tools for network monitoring. However, they often produce a large quantity of alerts. The security operator who analyses IDS alerts is quickly overwhelmed. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper, we propose a new approach for logical based alert correlation which integrates the security operator’s knowledge and preferences in order to present to him only the most suitable alerts. The representation and the reasoning on these knowledge and preferences are done using a new logic called Instantiated First Order Qualitative Choice Logic (IFO-QCL). Our modeling shows an alert as an interpretation which allows us to have an efficient algorithm that performs the correlation process in a polynomial time. Experimental results are achieved on data collected from a real system monitoring. The result is a set of stratified alerts satisfying the operators criteria.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.: Computer security threat monitoring and surveillance. Technical report. James P. Anderson Company, Fort Washington, Pennsylvania (April 1980)

    Google Scholar 

  2. Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report No 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden (March 2000)

    Google Scholar 

  3. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Recent Advances in Intrusion Detection Systems 34(4), 571–577 (2000)

    Google Scholar 

  4. Chifflier, P., Tricaud, S.: Intrusion Detection Systems Correlation: a Weapon of Mass Investigation, CanSecWest, Vancouver (March 2008)

    Google Scholar 

  5. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proc. 17th Computer Security Applications Conference, pp. 22–31 (December 2001)

    Google Scholar 

  6. Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6(4), 443–471 (2003)

    Article  Google Scholar 

  7. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: an attack language for state-based intrusion Detection. Journal of Computer Security 10(1-2), 71–103 (2002)

    Google Scholar 

  9. Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  10. Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  11. Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202 ( May 2002)

    Google Scholar 

  12. Ning, P., Cui, Y., Reeves, S.: Constructing attack scenarios through correlation of intrusion alerts. In: CCS 2002: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. ACM, New York (2002)

    Google Scholar 

  13. Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: NSPW 2000: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 31–38. ACM, New York (2000)

    Chapter  Google Scholar 

  14. Benferhat, S., Kenaza, T., Mokhtari, A.: A Naive Bayes Approach for Detecting Coordinated Attacks. In: COMPSAC 2008, pp. 704–709 (July-August 2008)

    Google Scholar 

  15. Benferhat, S., Sedki, K.: Two alternatives for handling preferences in qualitative choice logic. Fuzzy Sets and Systems Journal (FSS 2008) 159(15), 1889–1912 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  16. Brewka, G., Benferhat, S., Le Berre, D.: Qualitative Choice Logic. Artificial Intelligence Journal (AIJ) 157(1-2), 203–237 (2004)

    Article  MATH  Google Scholar 

  17. Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 22–31 (October 2001)

    Google Scholar 

  18. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 85–103 (October 2001)

    Google Scholar 

  19. Qin, X., Lee, W.: Attack Plan Recognition and Prediction Using Causal Networks. In: ACSAC 2004, pp. 370–379 (2004)

    Google Scholar 

  20. Geib, C., Goldman, R.: Plan Recognition in Intrusion Detection Systems. In: Proceeding of DARPA Information Survivability Conference and Exposition (DISCEX), vol. 1, pp. 46–55 (June 2001)

    Google Scholar 

  21. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF), Network Working Group, Request for Comments (RFC): 4765, Category: Experimental, SecureWorks, Inc. (March 2007)

    Google Scholar 

  22. Ranum, M.J.: False Positives: A Users Guide to Making Sense of IDS Alarms, ICSA Labs IDSC, white paper (2003)

    Google Scholar 

  23. Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert Prioritization in Intrusion Detection Systems. In: The 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), pp. 33–40 (April 2008)

    Google Scholar 

  24. Tabia, K., Benferhat, S., Leray, P., Me, L.: Alert correlation in intrusion detection: Combining AI-based approaches for exploiting security operators knowledge and preferences. In: Association for the Advancement of Artificial Intelligence (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LCSI laboratory, Ecole nationale Supérieure d’Informatique (ESI), Algiers, Algeria

    Lydia Bouzar-Benlabiod & Thouraya Bouabana-Tebibel

  2. CRIL-CNRS, Université d’Artois, Lens, France

    Salem Benferhat

Authors
  1. Lydia Bouzar-Benlabiod
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Salem Benferhat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thouraya Bouabana-Tebibel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lydia Bouzar-Benlabiod .

Editor information

Editors and Affiliations

  1. Département d’informatique, Centre Universitaire Taher Moula de Saida, Ennasr Saida, Algeria

    Abdelmalek Amine

  2. Department of Electrical and Computer Engineering, Concordia University, Montreal, Québec, Canada

    Ait Mohamed Otmane

  3. LIAS/ISAE-ENSMA, Futuroscope Chasseneuil Cedex, France

    Ladjel Bellatreche

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Bouzar-Benlabiod, L., Benferhat, S., Bouabana-Tebibel, T. (2013). A New Approach for QCL-Based Alert Correlation Process. In: Amine, A., Otmane, A., Bellatreche, L. (eds) Modeling Approaches and Algorithms for Advanced Computer Applications. Studies in Computational Intelligence, vol 488. Springer, Cham. https://doi.org/10.1007/978-3-319-00560-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-00560-7_17

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-00559-1

  • Online ISBN: 978-3-319-00560-7

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation