Abstract
To solve the problem of the alert flooding and information semantics in the existing IDS, the approach using the logic correction to enhance the content of the alerts is presented. The Chronicle based on time intervals is presented to describe the temporal time constrains among intrusion alerts, and the Chronicle patterns are designed to integrate the alerts of the sequence generated by an attacker into a high-level alert. Then the preparing relation between the high-level alerts is defined and the one-order logic algorithm is applied to correlate these high-level alerts with the preparing relationship. The attack scenario is constructed by drawing the attack graph. In the end an example is given to show the performance of this algorithm in decreasing the number and improving the information semantics of the intrusion alerts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 85. Springer, Heidelberg (2001)
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 197. Springer, Heidelberg (2000)
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2B2: A formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)
Curry, D., Debar, H.: Intrusion Detection Message Exchange Format (August 2003), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt
Dousson, C.: Alarm Driven Supervision for Telecommunication Networks: Online Chronicle Recognition. Annales des Telecommunications 51, 501–508 (1996)
Staniford, S., Hoagland, J., Mc Alerney, J.: Practical automated detection of stealthy portscans. Journal of Computer Security 10, 105–136 (2002)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Cuppens, F.: Managing alerts in multi-intrusion detection environments. In: 17th Annual Computer Security Applications Conference, New-Oreans, pp. 74–94 (2001)
Dain, O., Cuningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceeding of the ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)
Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proceeding of New Security Paradigms Workshop, pp. 31–39 (2000)
Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer & Communications Security, Washington, pp. 245–254 (2002)
Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of 2002 IEEE Symposium on Security and Privacy (2002)
Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building Attack Scenarios through Integration of Complementary Alert Correlation Methods. In: The 11th Annual Network and Distributed System Security Symposium, pp. 97–111 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, LM., Ma, JF., Zhan, YZ. (2004). Enhancing the Content of the Intrusion Alerts Using Logic Correlation. In: Chi, CH., Lam, KY. (eds) Content Computing. AWCC 2004. Lecture Notes in Computer Science, vol 3309. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30483-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-30483-8_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23898-0
Online ISBN: 978-3-540-30483-8
eBook Packages: Springer Book Archive