Abstract
In this paper, we propose a multi-alarm misuse correlation component based on the chronicles formalism. Chronicles provide a high level declarative language and a recognition system that is used in other areas where dynamic systems are monitored. This formalism allows us to reduce the number of alarms shipped to the operator and enhances the quality of the diagnosis provided.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for intrusion alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for Statebased Intrusion Detection, Dept. of Computer Science, University of California, Santa Barbara (2000)
Roger, M., Goubault-Larrecq, J.: Log Auditing Through Model-Checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, CSFW 2001 (2001)
Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In: Proceedings of the IEEE Symposium on Security and Privacy (1999)
McDermott, D.V.: A Temporal Logic for Reasoning about Processes and Plans. Cognitive Science, 101–155 (1982)
Bacchus, F., Tenenberg, J., Koomen, J.A.: A non-reified Temporal Logic. Artificial Intelligence, 87–108 (1991)
Allen, J.: Towards a General Theory of Action and Time. Artificial Intelligence, 123–154 (1984)
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion Detection Alerts. In: Proceedings of the 4th Recent Advances in Intrusion Detection (RAID 2001) (October 2000)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34(34) (October 2000)
Dousson, C., Gaborit, P., Ghallab, M.: Situation Recognition: Representation and Algorithms. In: Proceedings of the 13th IJCAI, August 1993, pp. 166–172 (1993)
Dousson, C.: Suivi d’évolutions et reconnaissance de chroniques, PhD Thesis (1994), http://dli.rd.francetelecom.fr/abc/diagnostic/
Dousson, C.: Alarm Driven Supervision for Telecommunication Networks: Online Chronicle Recognition. Annales des Telecommunications, 501–508 (1996)
Dousson, C.: Extending and Unifying Chronicles Representation with Event Counters. In: Proceedings of the 15th European Conference on Artificial Intelligence (ECAI 2002) (August 2002)
Cordier, M.O., Dousson, C.: Alarm Driven Monitoring Based on Chronicles. In: Proceedings of the 4th Symposium on Fault Detection Supervision and Safety for Technical Processes (Safeprocess 2000), June 2000, pp. 286–291 (2000)
Debar, H., Huang, M.Y., Donahoo, D.J.: Intrusion Detection Exchange Format Data Model. IETF Draft (2002)
Shoham, Y.: Temporal Logics in AI: Semantical and Ontological Considerations. Journal of Artificial Intelligence 89–104 (1987)
Dechter, R., Meiri, I., Pearl, J.: Temporal Constraint Networks. Artificial Intelligence, 61–95 (1991)
Jakobson, G., Weissman, M.D.: Alarm correlation. IEEE Network Magazine, 52–60 (1993)
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th ACSAC (December 2001)
Manganaris, S., et al.: A Data Mining Analysis of RTID Alarms. In: First International Workshop on the Recent Advances in Intrusion Detection (RAID 1998) (September 1998)
Pouzol, J.P., Ducassé, M.: From Declarative Signatures to Misuse IDS. In: Proceedings of the 4th Recent Advances in Intrusion Detection, RAID (2001)
Pouzol, J.P., Ducassé, M.: Formal Specification of Intrusion Signatures and Detection Rules. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW) (2002)
Cuppens, F.: Managing Alerts in Multi-Intrusion Detection Environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (2001)
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Morin, B., Debar, H. (2003). Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive