This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2010 24th IEEE International Conference on Advanced Information Networking and Applications
MARS: Multi-stage Attack Recognition System
Perth, Australia
April 20-April 23
ISBN: 978-0-7695-4018-4
Network Intrusion Detection Systems (NIDS) are considered as essential mechanisms to ensure reliable security. Intrusive model is used in signature-based NIDS by defining attack patterns and applying signature-matching on incoming traffic packets. Thousands of signatures and rules are created to specify different attacks and variations of a single attack. As a result, enormous data with less efficiency is produced that overwhelms the network administrator. Most of the generated alerts are false-positives; this is due to the redundancy caused by the detection techniques, and due to low-level processing capacity. Moreover, detection of novel and multi-stage attacks are not efficiently achieved by the current systems. Hence, high-level view of the attacker’s behaviour has become a stressing demand. Alerts correlation techniques have been widely used to provide intelligent and stateful detection methodologies. This is to understand attack steps and predict the expected sequence of events. However, most of the proposed systems are based on rules libraries specified by security experts, which is a cumbersome and error prone task. Other methods are based on statistical models; these are unable to identify causal relationships between the events. In this paper, we identify the limitations of the current techniques and propose a framework for alert correlation that overcomes these shortcomings. An improved “cause and effect” model will be presented cooperating with statistical model to achieve higher detection rate with minimum false positives. Knowledge-based model with vulnerability and extensional consequences parameters has been developed to provide manageable and meaningful graph. The proposed system is evaluated using DARPA 2000 and collected real life data sets. The results have shown an improvement in respect to detection rate and reduction of false positives.
Index Terms:
Network intrusion detection systems, Alerts correlation, multi-stage attack
Citation:
Faeiz Alserhani, Monis Akhlaq, Irfan U. Awan, Andrea J. Cullen, Pravin Mirchandani, "MARS: Multi-stage Attack Recognition System," aina, pp.753-759, 2010 24th IEEE International Conference on Advanced Information Networking and Applications, 2010
Usage of this product signifies your acceptance of the Terms of Use.