| | This Article | |
| |
| |
| | Share | |
| |
| |
| | Bibliographic References | |
| |
| |
| | Add to: | |
| |
 Digg
 Furl
 Spurl
 Blink
 Simpy
 Google
 Del.icio.us
 Y!MyWeb
| |
| | Search | |
| |
| |
| | |
A Comprehensive Approach to Intrusion Detection Alert Correlation
July-September 2004 (vol. 1 no. 3)
pp. 146-169
Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. This paper presents a general correlation model that includes a comprehensive set of components and a framework based on this model. A tool using the framework has been applied to a number of well-known intrusion detection data sets to identify how each component contributes to the overall goals of correlation. The results of these experiments show that the correlation components are effective in achieving alert reduction and abstraction. They also show that the effectiveness of a component depends heavily on the nature of the data set analyzed.
[1] 146 D. Andersson, M. Fong, and A. Valdes, “Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis,” Proc. Third Ann. IEEE Information Assurance Workshop, June 2002.[2] M. Arboi, The Nessus Attack Scripting Language Reference Guide, 2002, http://www.nessus.org/docnasl2_reference.pdf .[3] S.M. Bellovin, “Packets Found on an Internet,” technical report, AT&T Bell Laboratories, May 1992.[4] S. Cheung, U. Lindqvist, and M. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition,” Proc. DARPA Information Survivability Conf. and Exposition (DISCEX III), pp. 284-292, Apr. 2003.[5] F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion Detection Framework,” Proc. IEEE Symp. Security and Privacy, May 2002.[6] D. Curry and H. Debar, “Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition,” draft-ietf-idwg-idmef-xml-10.txt+, Jan. 2003.[7] Common Vulnerabilities and Exposures, http:/www.cve.mitre. org/, 2003.[8] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 85-103, Oct. 2001.[9] D.E. Denning, “An Intrusion Detection Model,” IEEE Trans. Software Eng., vol. 13, no. 2, pp. 222-232, Feb. 1987.[10] N. Desai, “IDS Correlation of VA Data and IDS Alerts,” http://www.securityfocus.com/infocus1708 , June 2003.[11] R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, “Addendum to Testing and Evaluating Computer Intrusion Detection Systems,” Comm. ACM, vol. 42, no. 9, p. 15, Sept. 1999.[12] R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, “Testing and Evaluating Computer Intrusion Detection Systems,” Comm. ACM, vol. 42, no. 7, pp. 53-61, July 1999.[13] S.T. Eckmann, G. Vigna, and R.A. Kemmerer, “STATL: An Attack Language for State-Based Intrusion Detection,” J. Computer Security, vol. 10, nos. 1-2, pp. 71-104, 2002.[14] A.K. Ghosh, J. Wanken, and F. Charron, “Detecting Anomalous and Unknown Intrusions against Programs,” Proc. Ann. Computer Security Application Conf. (ACSAC '98), pp. 259-267, Dec. 1998.[15] R. Gula, “Correlating IDS Alerts with Vulnerability Information,” technical report, Tenable Network Security, Dec. 2002.[16] J. Haines, D.K. Ryder, L. Tinnel, and S. Taylor, “Validation of Sensor Alert Correlators,” IEEE Security and Privacy Magazine, vol. 1, no. 1, pp. 46-56, Jan./Feb. 2003.[17] L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, “A Network Security Monitor,” Proc. IEEE Symp. Research in Security and Privacy, pp. 296-304, May 1990.[18] K. Ilgun, “USTAT: A Real-Time Intrusion Detection System for UNIX,” Proc. IEEE Symp. Research on Security and Privacy, May 1993.[19] ISS, Realsecure, http:/www.iss.net/, 2004.[20] H.S. Javitz and A. Valdes, “The NIDES Statistical Component Description and Justification,” technical report, SRI Int'l, Mar. 1994.[21] K. Kendall, “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” master's thesis, MIT, June 1999.[22] G.H. Kim and E.H. Spafford, “The Design and Implementation of Tripwire: A File System Integrity Checker,” technical report, Purdue Univ., Nov. 1993.[23] C. Ko, M. Ruschitzka, and K. Levitt, “Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-Based Approach,” Proc. 1997 IEEE Symp. Security and Privacy, pp. 175-187, May 1997.[24] C. Kruegel and W. Robertson, “Alert Verification: Determining the Success of Intrusion Attempts,” Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), July 2004.[25] C. Kruegel and G. Vigna, “Anomaly Detection of Web-Based Attacks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 251-261, Oct. 2003.[26] MIT Lincoln Laboratory, Lincoln Lab Data Sets, http://www.ll.mit.edu/IST/ideval/datadata_index.html, 2000.[27] R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, and M. Zissman, “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation,” Proc. DARPA Information Survivability Conf. and Exposition, vol. 2, Jan. 2000.[28] BugTraq Mailing List, Vulnerabilities by Bugtraq ID, http://www.securityfocus.com/bidbugtraqid /, 2004.[29] J. McHugh, “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evalautions as Performed by Lincoln Laboratory,” ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.[30] D.L. Mills Network Time Protocol (Version 3), RFC 1305, 1992.[31] B. Morin and H. Debar, “Correlation of Intrusion Symptoms: An Application of Chronicles,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, Sept. 2003.[32] B. Morin, L. Me, H. Debar, and M. Ducasse, “M2D2: A Formal Data Model for IDS Alert Correlation,” Proc. Recent Advances in Intrusion Detection, pp. 115-137, 2002.[33] Nessus Vulnerabilty Scanner, http:/www.nessus.org/, 2004.[34] P.G. Neumann and P.A. Porras, “Experience with EMERALD to Date,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, pp. 73-80, Apr. 1999.[35] P. Ning, Y. Cui, and D.S. Reeves, “Analyzing Intensive Intrusion Alerts Via Correlation,” Proc. Int'l Symp. the Recent Advances in Intrusion Detection, pp. 74-94, Oct. 2002.[36] P. Ning, Y. Cui, and D.S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts,” Proc. ACM Conf. Computer and Comm. Security, pp. 245-254, Nov. 2002.[37] P. Ning and D. Xu, “Learning Attack Strategies from Intrusion Alert,” Proc. ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.[38] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Proc. Seventh USENIX Security Symp., Jan. 1998[39] P. Porras, M. Fong, and A. Valdes, “A Mission-Impact-Based Approach to INFOSEC Alarm Correlation,” Proc. Int'l Symp. the Recent Advances in Intrusion Detection, pp. 95-114, Oct. 2002.[40] UCSB Reliable Software Group, LinSTAT Webpage, http://www.cs.ucsb.edu/rsg/STAT/software linstat.html, 2003.[41] UCSB Reliable Software Group, collection of ntrusion detection data sets, http://www.cs.ucsb.edu/rsgdatasets/, 2004.[42] M. Roesch, “Snort— Lightweight Intrusion Detection for Networks,” Proc. USENIX LISA '99 Conf., Nov. 1999[43] U. Shankar and V. Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic,” Proc. IEEE Symp. Security and Privacy, 2003.[44] Snort— The Open Source Network Intrusion Detection System, http:/www.snort.org, 2004.[45] S.J. Templeton and K. Levitt, “A Requires/Provides Model for Computer Attacks,” Proc. New Security Paradigms Workshop, pp. 31-38, Sept. 2000.[46] A. Valdes and K. Skinner, “Adaptive, Model-Based Monitoring for Cyber Attack Detection,” Proc. RAID 2000 Conf., Oct. 2000.[47] A. Valdes and K. Skinner, “An Approach to Sensor Correlation,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, Oct. 2000.[48] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 54-68, Oct. 2001.[49] G. Vigna, “Teaching Hands-On Network Security: Testbeds and Live Exercises,” J. Information Warfare, vol. 3, no. 2, pp. 8-25, 2003.[50] G. Vigna and R.A. Kemmerer, “NetSTAT: A Network-Based Intrusion Detection System,” J. Computer Security, vol. 7, no. 1, pp. 37-71, 1999.[51] G. Vigna, F. Valeur, and R.A. Kemmerer, “Designing and Implementing a Family of Intrusion Detection Systems,” Proc. European Software Eng. Conf. and ACM SIGSOFT Symp. the Foundations of Software Eng. (ESEC/FSE 2003), Sept. 2003.[52] C. Warrender, S. Forrest, and B.A. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models,” Proc. IEEE Symp. Security and Privacy, pp. 133-145, 1999.
Index Terms:
Intrusion detection, alert correlation, alert reduction, correlation data sets.
Citation:
Fredrik Valeur, Giovanni Vigna, Christopher Kruegel, Richard A. Kemmerer, "A Comprehensive Approach to Intrusion Detection Alert Correlation," IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004, doi:10.1109/TDSC.2004.21
