The Community for Technology Leaders
RSS Icon
Subscribe
Tucson, Arizona
Dec. 6, 2004 to Dec. 10, 2004
ISBN: 0-7695-2252-1
pp: 350-359
Steven Noel , George Mason University
Eric Robertson , George Mason University
Sushil Jajodia , George Mason University
ABSTRACT
We map intrusion events to known exploits in the network attack graph, and correlate the events through the corresponding attack graph distances. From this, we construct attack scenarios, and provide scores for the degree of causal correlation between their constituent events, as well as an overall relevancy score for each scenario. While intrusion event correlation and attack scenario construction have been previously studied, this is the first treatment based on association with network attack graphs. We handle missed detections through the analysis of network vulnerability dependencies, unlike previous approaches that infer hypothetical attacks. In particular, we quantify lack of knowledge through attack graph distance. We show that low-pass signal filtering of event correlation sequences improves results in the face of erroneous detections. We also show how a correlation threshold can be applied for creating strongly correlated attack scenarios. Our model is highly efficient, with attack graphs and their exploit distances being computed offline. Online event processing requires only a database lookup and a small number of arithmetic operations, making the approach feasible for real-time applications.
INDEX TERMS
null
CITATION
Steven Noel, Eric Robertson, Sushil Jajodia, "Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances", ACSAC, 2004, Computer Security Applications Conference, Annual, Computer Security Applications Conference, Annual 2004, pp. 350-359, doi:10.1109/CSAC.2004.11
16 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool