Active Event Correlation in Bro IDS to Detect Multi-stage Attacks

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Bing Chen Articles by Joohan Lee Articles by Annie S. Wu

Fourth IEEE International Workshop on Information Assurance (IWIA'06)

Royal Holloway, United Kingdom

April 13-April 14

ISBN: 0-7695-2564-4

	ASCII Text	x
	Bing Chen, Joohan Lee, Annie S. Wu, "Active Event Correlation in Bro IDS to Detect Multi-stage Attacks," Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on, pp. 32-50, Fourth IEEE International Workshop on Information Assurance (IWIA'06), 2006.

	BibTex	x
	@article{ 10.1109/IWIA.2006.2, author = {Bing Chen and Joohan Lee and Annie S. Wu}, title = {Active Event Correlation in Bro IDS to Detect Multi-stage Attacks}, journal ={Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on}, volume = {0}, year = {2006}, isbn = {0-7695-2564-4}, pages = {32-50}, doi = {http://doi.ieeecomputersociety.org/10.1109/IWIA.2006.2}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on TI - Active Event Correlation in Bro IDS to Detect Multi-stage Attacks SN - 0-7695-2564-4 SP32 EP50 A1 - Bing Chen, A1 - Joohan Lee, A1 - Annie S. Wu, PY - 2006 KW - null VL - 0 JA - Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on ER -

Bing Chen, University of Central Florida

Joohan Lee, University of Central Florida

Annie S. Wu, University of Central Florida

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/IWIA.2006.2

Many recent computer attacks have been launched in multiple stages to evade the detection of existing Intrusion Detection Systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challending for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, Active Event Correlation (AEC), which collects and correlates suspicious network events inside a Network Intrusion Detection System (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS [13]. Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts.

Citation:

Bing Chen, Joohan Lee, Annie S. Wu, "Active Event Correlation in Bro IDS to Detect Multi-stage Attacks," iwia, pp.32-50, Fourth IEEE International Workshop on Information Assurance (IWIA'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.