Abstract
Intrusion Detection System (IDS) is a security technology that attempts to identify intrusions. Defending against multi-step intrusions which prepare for each other is a challenging task. In this paper, we propose a novel approach to alert post-processing and correlation, the Alerts Parser. Different from most other alert correlation methods, our approach treats the alerts as tokens and uses modified version of the LR parser to generate parse trees representing the scenarii in the alerts. An Attribute Context-Free Grammar (ACF-grammar) is used for representing the multi-step attacks. Attack scenarii information and prerequisites/consequences knowledge are included together in the ACF-grammar enhancing the correlation results. The modified LR parser depends on these ACF-grammars to generate parse trees. The experiments were performed on two different sets of network traffic traces, using different open-source and commercial IDS sensors. The discovered scenarii are represented by Correlation Graphs (CGs). The experimental results show that Alerts Parser can work in parallel, effectively correlate related alerts with low false correlation rate, uncover the attack strategies, and generate concise CGs.
Similar content being viewed by others
References
Stefan, A.: The base-rate fallacy and its implications for the intrusion detection. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, pp. 1–7. Kent Ridge Digital Labs, Singapore (1999)
Pietraszek T., Tanner A.: Data mining and machine learning-towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. 10, 169–183 (2005)
Yu J., Reddy Y.V.R., Selliah S., Reddy S., Bharadwaj V., kankanahalli S.: TRINETR: an architecture for collaborative intrusion detection and knowledge-based alert evaluation. J. Adv. Eng. Inform. 19, 93–101 (2005)
Perdisci R., Giacinto G., Roli F.: Alarm clustering for intrusion detection systems in computer networks. Eng. Appl. Artif. Intell. 19, 429–438 (2006)
Julisch K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur. 6, 443–471 (2003)
Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceeding of 11th Annual Network and Distributed System Security (NDSS’04), pp. 97–111 (2004)
Dain, O.M., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceeding of ACM Workshop on Data Mining for Security Applications, pp. 231–235 (2001)
Qin, X., Lee, W.: Statistical causality analysis of INFOSEC alert data. In: Proceeding of 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, pp. 591–627 (2003)
Ning P., Cui Y., Reeves D.S., Xu D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. 7, 274–318 (2004)
Yu D., Frincke D.: Improving the quality of alerts and predicting intruder’s next goal with hidden colored petri-net. Comput. Netw. 51, 632–654 (2007)
Wang L., Liu A., Jajodia S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. J. Com. Commun. 29, 2917–2933 (2006)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, LNCS vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (2002)
MIT Lincoln Lab., DARPA Intrusion Detection Scenario Specific Datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
DEFCON Captures the Flag (CTF) Contest. http://cctf.shmoo.com/data/cctf-defcon8/
Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: A formal data model for IDS alert correlation. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, pp. 115–137 (2002)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceeding of Ninth ACM Conference on Computer and Communications Security (CCS’02), pp. 217–224 (2002)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceeding of IEEE Symposium on Security and Privacy (S&P’02), pp. 273–284 (2002)
Noel, S., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distance. In: Proceeding of 20th Annual Computer Security Applications Conference (ACSAC’04) (2004)
Roesch, M.: Snort-lightweight intrusion detection for networks. In: Proceeding of USENIX LISA Conference, pp. 229–238 (1999)
Internet Security Systems, RealSecure Intrusion Detection System. http://www.iss.net
Sourcefire, Snort signature database, http://www.snort.org/pub-bin/sigs.cgi (2007)
Internet Security Systems, RealSecure Signatures Reference Guide. http://documents.iss.net/literature/RealSecure/RS_Signatures_6.0.pdf
Sipser M.: Introduction to the theory of computation, second ed. Massachusetts Institute of Technology, Cambridge (2006)
Ilgun K., Kemmerer R.A., Porras P.A.: State transition analysis: a rule-based intrusion detection system. IEEE Trans. Soft. Eng. 21, 181–199 (1995)
Aho A.V., Sethi R., Ullman J.D.: Compilers, Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)
Power J.: Notes on Formal Language Theory and Parsing, Technical Report. National University of Ireland, Maynooth (2002)
Æ Mogensen. T.: Basics of Compiler Design, vol. 5, 2nd edn. http://www.diku.dk/~torbenm/Basics (2007)
White, J.: Algorithms and Foundations Qualifier, Technical Report, January (2007)
Serrano, A.: Integrating Alerts from Multiple Homogeneous Intrusion Detection Systems, Master Thesis, North Carolina State University, Raleigh (2003)
AT & T Research Labs, Graphviz-open source graph layout and drawing software, http://www.research.att.com/sw/tools/graphviz/
Hamza, L., Adi, K., El Guemhioui, K.: Automatic generation of attack scenarios for intrusion detection systems. In: Proceeding of IEEE AdvancedInternational Conference on Telecommunications and International Conference on Internet and Web Applications and Services (2006)
Valeur, F.: Real-Time Intrusion Detection Alert Correlation, PhD Dissertation, University of California, Santa Barbara (2006)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion detection alerts. In: Proceeding of International Symposium on Recent Advances in Intrusion Detection, Davis, pp. 85–103 (2001)
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion Detection Alerts, Presentation Slides, October (2001)
Haines J., Ryder D.K., Tinnel L., Taylor S.: Validation of sensor alert correlators. IEEE Secur. Priv. Mag. 1(1), 46–56 (2003)
Zhou J., Heckman M., Reynolds B., Carlson A., Bishop M.: Modeling network intrusion detection alerts for correlation. ACM Trans. Inf. Syst. Secur. 10, 1–31 (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Al-Mamory, S.O., Zhang, H. IDS alerts correlation using grammar-based approach. J Comput Virol 5, 271–282 (2009). https://doi.org/10.1007/s11416-008-0103-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0103-3