CAPABILITY MODEL BASED ALERT CORRELATION by NAVNEET
نویسنده
چکیده
Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a need to identify the algebraic and set properties of capabilities. In this work, the potential algebraic properties of capability are identified in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which are helpful in making the system modular. A variant of correlation algorithm is presented which uses these algebraic properties. To make these operations more realistic, existing capability model has been extended by adding time-based notion which helps to avoid temporal ambiguity between capability instances. We also propose Attack Capability Modeling language (ACML) used for capability model. It is a specification and description language that has been utilized to express the capability gained by attacker at each step in the intrusion process. These capabilities have been defined using the IDS alerts. The language also provides for the specification of compete attack scenarios in terms of capabilities of the intruder. This, in turn, helps to determine the state of the system in terms of the extent of infiltration. ACML helps to avoid ambiguity in capability specifications while sharing among developers. We also propose Attack capability modeling framework (ACMF) which forms the basis of a capability model-based semi-automated alert correlation process, which has been used to detect and identify the attack scenarios from IDS alerts. Additionally, the language also has features for customizing the definitions of these structures as well as for customizing the correlation algorithm.
منابع مشابه
Algebra for Capability Based Attack Correlation
Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate ...
متن کاملACMF: Framework for modeling attack based on Capability Model
In this paper, we propose Attack capability modeling framework (ACMF) which forms the basis of a capability modelbased semi-automated alert correlation process used to detect and identify the attack scenarios from IDS alerts. The framework defines the tools for the implementation of algebraic structures of capability as defined in Pandey et al. These structures are used as building blocks to sp...
متن کاملReal-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملIntrusion Alert Correlation Technique Analysis for Heterogeneous Log
Intrusion alert correlation is multi-step processes that receives alerts from heterogeneous log resources as input and produce a high-level description of the malicious activity on the network. The objective of this study is to analyse the current alert correlation technique and identify the significant criteria in each technique that can improve the Intrusion Detection System (IDS) problem suc...
متن کاملAlert correlation and prediction using data mining and HMM
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...
متن کامل