Modeling of information system correlated events time dependencies
Article No.: 37, Pages 1 - 6
Abstract
Many works have been carried out in events correlation and intrusion detection. Although they use different methods or correlation approaches, they all highlight the importance of time in their modeling process. In this paper, we suggest a new time consideration for our previous works Bayesian behavior intrusion detection. Using a probabilistic approach, we introduce time consideration in the profile of user/system interactions. This enriched profile will integrate all time dependencies among correlated alerts. Some works provide attack graphs scenarios where time dependencies are explicitly defined. In our case, they are learnt during a training period.
References
[1]
Markus M. Breunig, Hans-Peter Kriegel, Raymond T. Ng, and Jörg Sander. Lof: identifying density-based local outliers. In ACM SIGMOD 2000 Int. Conf. On Management of data, pages 93--104, 2000.
[2]
A. Miege F. Cuppens. Alert correlation in a cooperative intrusion detection framework. In IEEE Symposium on Research in Security and Privacy, 2002.
[3]
B. Fung, K. Wang, and M. Ester. Hierarchical document clustering using frequent itemsets, 2003.
[4]
David Israel, John Perry, and Syun Tutiya. Executions, motivations and accomplishments, 1993.
[5]
Veronique Legrand Jacques Saraydaryan and Sephane Ubeda. Behavioral anomaly detection using bayesian modelization based on a global vision of the system. In NOTERE, 2007.
[6]
B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In 6th International Conference on Recent Advances in Intrusion Detection (RAID '2003), 2003.
[7]
G. Kaiser Y. Diao R. Griffith, J. Hellerstein. Dynamic adaptation of temporal event correlation for qos management in distributed systems. In Fourteenth IEEE International Workshop on Quality of Service (IWQoS 2006), 2006.
[8]
S. Upadhyaya S. Mathew, C. Shah. An alert fusion framework for situation awareness of correlation multistage attacks. In 3rd IEEE International Information Assurance Workshop (IWIA 2005), pages 95--104, 2005.
[9]
Alexandr Seleznyov and Seppo Puuronen. Anomaly intrusion detection systems: Handling temporal relations between events. In Recent Advances in Intrusion Detection, 1999.
[10]
Gang Zhou John A. Stankovic Sudha Krishnamurthy, Tian He and Sang H. Son. Restore: A real-time event correlation and storage service for sensor networks. In 3rd International Conference on Networked Sensing Systems INSS 2006, 2006.
[11]
Thomas E. Daniels W. Wang. Network forensics analysis with evidence graphs (demo proposal). In Digital Forensic Research Workshop, 2005.
[12]
Thomas Wolle and Hans L. Bodlaender. A note on edge contraction. Technical report, institute of information and computing sciences, utrecht university, 2004.
[13]
E. Yoneki and J. Bacon. Unified semantics for event correlation over time and space in hybrid network environments. In OnTheMove (OTM), 2005.
Index Terms
- Modeling of information system correlated events time dependencies
Recommendations
Anomalous system call detection
Intrusion detection systems (IDSs) are used to detect traces of malicious activities targeted against the network and its resources. Anomaly-based IDSs build models of the expected behavior of applications by analyzing events that are generated during ...
Modeling network intrusion detection alerts for correlation
Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security ...
A Bayesian network-based approach for learning attack strategies from intrusion alerts
A tremendous number of low-level alerts reported by information security systems clearly reflect the need for an advanced alert correlation system to reduce alert redundancy, correlate security alerts, detect attack strategies, and take appropriate ...
Comments
Information & Contributors
Information
Published In
June 2008
399 pages
Copyright © 2008 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- Lyon 1 University
- SIGAPP: ACM Special Interest Group on Applied Computing
- Mairie de Villeurbanne
- Conseil Général du Rhône
- INSA Lyon: Institut National des Sciences Appliquées de Lyon
- Conseil Régional Rhône-Alpes
- Mutuelle d'assurance MAIF
- I.U.T.A LYON 1: Institute of Technology Lyon 1
- Ministère de l'Enseignement Supérieur et de la Recherche
- Lyon 2 University
- ISTASE: High-Level Engineering School in Telecommunication
- France Telecom
- LIRIS: Lyon Research Center for Images and Intelligent Information Systems
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 June 2008
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 158Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in