skip to main content
article

Hypothesizing and reasoning about attacks missed by intrusion detection systems

Published: 11 November 2004 Publication History

Abstract

Several alert correlation methods have been proposed over the past several years to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). However, all of these methods depend heavily on the underlying IDSs, and cannot deal with attacks missed by IDSs. In order to improve the performance of intrusion alert correlation and reduce the impact of missed attacks, this paper presents a series of techniques to hypothesize and reason about attacks possibly missed by the IDSs. In addition, this paper also discusses techniques to infer attribute values for hypothesized attacks, to validate hypothesized attacks through raw audit data, and to consolidate hypothesized attacks to generate concise attack scenarios. The experimental results in this paper demonstrate the potential of these techniques in building high-level attack scenarios.

References

[1]
Ammann, P., Wijesekera, D., and Kaushik, S. 2002. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security. 217--224.
[2]
AT & T Research Labs. Graphviz---open source graph layout and drawing software. Available at http://www.research.att.com/sw/tools/graphviz/.
[3]
Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Informat. Syst. Secur. 3, 3 (Aug.), 186--205.
[4]
Burch, J. R., Clarke, E. M., McMillan, K. L., Dill, D. L., and Hwang, L. J. 1992. Symbolic model checking: 1020 states and beyond. Informat. Computat. 98, 2 (June), 142--170.
[5]
CERT Coordinate Center. 2002. Overview of attack trends.
[6]
Cui, Y. 2002. A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks. M.S. thesis, North Carolina State University. Available at http://www.lib.ncsu.edu/theses/available/etd-12052002-193803/.
[7]
Cuppens, F. 2001. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference.
[8]
Cuppens, F. and Miege, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy.
[9]
Dacier, M., Deswarte, Y., and Kaåniche, M. 1996. Quantitative Assessment of Operational Security: Models and Tools. Tech. Rep., LAAS Research Report 96493. May.
[10]
Dain, O. and Cunningham, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. 231--235.
[11]
Dain, O. and Cunningham, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. 1--13.
[12]
Debar, H. and Wespi, A. 2001. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 2212. 85--103.
[13]
Eckmann, S., Vigna, G., and Kemmerer, R. 2002. STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10, 1/2, 71--104.
[14]
Fyodor. 2003. Nmap free security scanner. Available at http://www.insecure.org/nmap.
[15]
Gruschke, B. 1998. Integrated event management: Event correlation using dependency graphs. In Proceedings of the 9th IFIP/IEEE International Workshop on Distributed Systems: Operations & Management.
[16]
Han, J. and Kamber, M. 2001. Data Mining: Concepts and Techniques. Morgan Kaufmann Publishers.
[17]
Internet Security Systems. RealSecure intrusion detection system. Available at http://www.iss.net.
[18]
Jha, S., Sheyner, O., and Wing, J. 2002. Two formal analyses of attack graphs. In Proceedings of the 15th Computer Security Foundation Workshop.
[19]
Julisch, K. 2000. Dealing with false positives in intrusion detection. In The 3th Workshop on Recent Advances in Intrusion Detection.
[20]
Julisch, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC). 12--21.
[21]
Julisch, K. 2003. Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Informat. Syst. Secur. 6, 4 (Nov.), 443--471.
[22]
Julisch, K. and Dacier, M. 2002. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining.
[23]
Kaufman, L. and Rousseeuw, P. J. 1990. Finding Groups in Data: An Introduction to Cluster Analysis. John Wiley and Sons.
[24]
MIT Lincoln Lab. 2000. 2000 DARPA intrusion detection scenario specific datasets. Available at http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
[25]
Morin, B. and Debar, H. 2003. Correlation of intrusion symptoms: An application of chronicles. In Proceedings of the 6th International Conference on Recent Advances in Intrusion Detection (RAID'03).
[26]
Morin, B., Mé, L., Debar, H., and Ducassé, M. 2002. M2D2: A formal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 115--137.
[27]
Ning, P., Cui, Y., and Reeves, D. S. 2002a. Analyzing intensive intrusion alerts via correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland. 74--94.
[28]
Ning, P., Cui, Y., and Reeves, D. S. 2002b. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., 245--254.
[29]
Ning, P. and Xu, D. 2003. Learning attack strategies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security. 200--209.
[30]
NuSMV. NuSMV: A new symbolic model checker. Available at http://nusmv.irst.itc.it/.
[31]
Phillips, C. and Swiler, L. 1998. A graph-based system for network vulnerability analysis. In Proceedings of New Security Paradigms Workshop. 71--79.
[32]
Porras, P., Fong, M., and Valdes, A. 2002. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002). 95--114.
[33]
Qin, X. and Lee, W. 2003. Statistical causality analysis of infosec alert data. In Proceedings of The 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA.
[34]
Ramakrishnan, C. and Sekar, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation.
[35]
Ramakrishnan, C. and Sekar, R. 2002. Model-based analysis of configuration vulnerabilities. J. Comput. Secur. 10, 1/2, 189--209.
[36]
Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. 2002. Automated generation and analysis of attack graphs. In Proceedings of IEEE Symposium on Security and Privacy.
[37]
SMV. The SMV system. Available at http://www.cs.cmu.edu/~modelcheck/smv.html.
[38]
Staniford, S., Hoagland, J., and McAlerney, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 1/2, 105--136.
[39]
Swiler, L., Phillips, C., Ellis, D., and Chakerian, S. 2001. Computer-attack graph generation tool. In Proceedings of the DARPA Information Survivability Conference and Exposition. 307--321.
[40]
Templeton, S. and Levitt, K. 2000. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop. ACM Press, 31--38.
[41]
Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). 54--68.

Cited By

View all
  • (2022)RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567997(827-840)Online publication date: 5-Dec-2022
  • (2018)A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection SystemsACM Computing Surveys10.1145/318489851:3(1-41)Online publication date: 22-Jun-2018
  • (2018)A systematic survey on multi-step attack detectionComputers & Security10.1016/j.cose.2018.03.00176(214-249)Online publication date: Jul-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 7, Issue 4
November 2004
139 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1042031
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2004
Published in TISSEC Volume 7, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Intrusion alert correlation
  2. intrusion detection
  3. missed attacks

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)2
Reflects downloads up to 18 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567997(827-840)Online publication date: 5-Dec-2022
  • (2018)A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection SystemsACM Computing Surveys10.1145/318489851:3(1-41)Online publication date: 22-Jun-2018
  • (2018)A systematic survey on multi-step attack detectionComputers & Security10.1016/j.cose.2018.03.00176(214-249)Online publication date: Jul-2018
  • (2016)CyGraphCognitive Computing: Theory and Applications10.1016/bs.host.2016.07.001(117-167)Online publication date: 2016
  • (2013)Enhancing IDS performance through comprehensive alert post-processingComputers and Security10.1016/j.cose.2013.03.00537(176-196)Online publication date: 1-Sep-2013
  • (2013)Alert Correlation Algorithms: A Survey and TaxonomyCyberspace Safety and Security10.1007/978-3-319-03584-0_14(183-197)Online publication date: 13-Nov-2013
  • (2012)A comprehensive design for decision engine in network intrusion detection and prevention system6th International Symposium on Telecommunications (IST)10.1109/ISTEL.2012.6483125(959-964)Online publication date: Nov-2012
  • (2011)A distributional attack scenario monitoring system based on dynamic peer-to-peer overlay hierarchy2011 International Conference on Machine Learning and Cybernetics10.1109/ICMLC.2011.6016716(348-355)Online publication date: Jul-2011
  • (2011)Alert correlation in collaborative intelligent intrusion detection systems-A surveyApplied Soft Computing10.1016/j.asoc.2010.12.00411:7(4349-4365)Online publication date: 1-Oct-2011
  • (2010)A Host-Based Intrusion Detection System Using Architectural Features to Improve Sophisticated Denial-of-Service Attack DetectionsInternational Journal of Information Security and Privacy10.4018/jisp.20100101024:1(18-31)Online publication date: 1-Jan-2010
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media