Enhancing the Content of the Intrusion Alerts Using Logic Correlation

Wang, Liang-Min; Ma, Jian-Feng; Zhan, Yong-Zhao

doi:10.1007/978-3-540-30483-8_17

Liang-Min Wang^18,19,
Jian-Feng Ma¹⁸ &
Yong-Zhao Zhan¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3309))

Included in the following conference series:

Advanced Workshop on Content Computing

451 Accesses
1 Citations

Abstract

To solve the problem of the alert flooding and information semantics in the existing IDS, the approach using the logic correction to enhance the content of the alerts is presented. The Chronicle based on time intervals is presented to describe the temporal time constrains among intrusion alerts, and the Chronicle patterns are designed to integrate the alerts of the sequence generated by an attacker into a high-level alert. Then the preparing relation between the high-level alerts is defined and the one-order logic algorithm is applied to correlate these high-level alerts with the preparing relationship. The attack scenario is constructed by drawing the attack graph. In the end an example is given to show the performance of this algorithm in decreasing the number and improving the information semantics of the intrusion alerts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 85. Springer, Heidelberg (2001)
Chapter Google Scholar
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Chapter Google Scholar
Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 197. Springer, Heidelberg (2000)
Chapter Google Scholar
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2B2: A formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)
Chapter Google Scholar
Curry, D., Debar, H.: Intrusion Detection Message Exchange Format (August 2003), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt
Dousson, C.: Alarm Driven Supervision for Telecommunication Networks: Online Chronicle Recognition. Annales des Telecommunications 51, 501–508 (1996)
Google Scholar
Staniford, S., Hoagland, J., Mc Alerney, J.: Practical automated detection of stealthy portscans. Journal of Computer Security 10, 105–136 (2002)
Google Scholar
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Chapter Google Scholar
Cuppens, F.: Managing alerts in multi-intrusion detection environments. In: 17th Annual Computer Security Applications Conference, New-Oreans, pp. 74–94 (2001)
Google Scholar
Dain, O., Cuningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceeding of the ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)
Google Scholar
Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proceeding of New Security Paradigms Workshop, pp. 31–39 (2000)
Google Scholar
Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer & Communications Security, Washington, pp. 245–254 (2002)
Google Scholar
Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of 2002 IEEE Symposium on Security and Privacy (2002)
Google Scholar
Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building Attack Scenarios through Integration of Complementary Alert Correlation Methods. In: The 11th Annual Network and Distributed System Security Symposium, pp. 97–111 (2004)
Google Scholar

Download references

Author information

Authors and Affiliations

The Key Laboratory of Computer Network and Information Security, Xidian University, Ministry of Education, 710071, Xian, P.R. China
Liang-Min Wang & Jian-Feng Ma
The Computer School of Jiangsu Univ., 212013, Zhenjiang, P.R. China
Liang-Min Wang & Yong-Zhao Zhan

Authors

Liang-Min Wang
View author publications
You can also search for this author in PubMed Google Scholar
Jian-Feng Ma
View author publications
You can also search for this author in PubMed Google Scholar
Yong-Zhao Zhan
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Software, Tsinghua University,
Chi-Hung Chi
School of Software, Tsinghua University, Beijing, PR China
Kwok-Yan Lam

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wang, LM., Ma, JF., Zhan, YZ. (2004). Enhancing the Content of the Intrusion Alerts Using Logic Correlation. In: Chi, CH., Lam, KY. (eds) Content Computing. AWCC 2004. Lecture Notes in Computer Science, vol 3309. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30483-8_17

Download citation

DOI: https://doi.org/10.1007/978-3-540-30483-8_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23898-0
Online ISBN: 978-3-540-30483-8
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics