Skip to main content
SpringerLink
Log in
Book cover

International Conference on Computer Safety, Reliability, and Security

SAFECOMP 2008: Computer Safety, Reliability, and Security pp 221–234Cite as

Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5219))

Abstract

With the increase of attacks on the Internet, a primary concern for organizations is how to protect their network. The objectives of a security team are 1) to prevent external attackers from launching successful attacks against organization computers that could become compromised, 2) to ensure that organization computers are not vulnerable (e.g., fully patched) so that in either case the organization computers do not start launching attacks. The security team can monitor and block malicious activity by using devices such as intrusion prevention systems. However, in large organizations, such monitoring devices could record a high number of events. The contributions of this paper are 1) to introduce a method that ranks potentially corrupted computers based on imperfect intrusion prevention system event data, and 2) to evaluate the method based on empirical data collected at a large organization of about 40,000 computers. The evaluation is based on the judgment of a security expert of which computers were indeed corrupted. On the one hand, we studied how many computers classified as of high concern or of concern were indeed corrupted (i.e., true positives). On the other hand, we analyzed how many computers classified as of lower concern were in fact corrupted (i.e., false negatives).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., Watson, D.: Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic. In: Proceedings of the USENIX/ACM Internet Measurement Conference, New Orleans (2005)

    Google Scholar 

  2. Sung, M., Haas, M., Xu, J.: Analysis of DoS attack traffic data. In: 2002 FIRST Conference, Hawaii (2002)

    Google Scholar 

  3. Viinikka, J., Debar, H., Mé, L., Séguier, R.: Time series modeling for IDS alert management. In: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pp. 102–113. ACM Press, New York (2006)

    Chapter  Google Scholar 

  4. Clifton, C., Gengo, G.: Developing custom intrusion detection filters using data mining. In: MILCOM 2000. 21st Century Military Communications Conference Proceedings, vol. 1 (2000)

    Google Scholar 

  5. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, vol. 32. IEEE Computer Society, Los Alamitos (2001)

    Google Scholar 

  6. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy, pp. 202–215 (2002)

    Google Scholar 

  7. Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 12–21 (2001)

    Google Scholar 

  8. Julisch, K.: Data mining for Intrusion Detection. Applications of Data Mining in Computer Security. Kluwer Academic Publishers, Dordrecht (2002)

    Google Scholar 

  9. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 366–375. ACM Press, New York (2002)

    Chapter  Google Scholar 

  10. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)

    Article  Google Scholar 

  11. Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Recent Advances In Intrusion Detection: 7th International Symposium. Springer, Heidelberg (2004)

    Google Scholar 

  12. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrusion Detection. Springer, Heidelberg (2001)

    Google Scholar 

  13. Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: A Formal Data Model for IDS Alert Correlation. In: Recent Advances in Intrusion Detection: 5th Internatonal Symposium. Springer, Heidelberg (2002)

    Google Scholar 

  14. Ning, P., Xu, D., Healey, C., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium, pp. 97–111 (2004)

    Google Scholar 

  15. Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Proceedings of the Fourth International Workshop on the Recent Advances in Intrusion Detection (2001)

    Google Scholar 

  16. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–169 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Risk and Reliability, University of Maryland, College Park, Maryland, 20742-7531,  

    Danielle Chrun & Michel Cukier

  2. Office of Information Technology, University of Maryland, College Park, Maryland, 20742-7531

    Gerry Sneeringer

Authors
  1. Danielle Chrun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michel Cukier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gerry Sneeringer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computing Science, Newcastle University, Claremont Tower, NE1 7RU, Newcastle upon Tyne, UK

    Michael D. Harrison

  2. Health Sciences Research Institute, University of Warwick, Coventry, CV4 7AL, UK

    Mark-Alexander Sujan

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chrun, D., Cukier, M., Sneeringer, G. (2008). Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data. In: Harrison, M.D., Sujan, MA. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2008. Lecture Notes in Computer Science, vol 5219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87698-4_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87698-4_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87697-7

  • Online ISBN: 978-3-540-87698-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation