CAPABILITY MODEL BASED ALERT CORRELATION by NAVNEET

نویسنده

  • NAVNEET KUMAR PANDEY
چکیده

Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a need to identify the algebraic and set properties of capabilities. In this work, the potential algebraic properties of capability are identified in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which are helpful in making the system modular. A variant of correlation algorithm is presented which uses these algebraic properties. To make these operations more realistic, existing capability model has been extended by adding time-based notion which helps to avoid temporal ambiguity between capability instances. We also propose Attack Capability Modeling language (ACML) used for capability model. It is a specification and description language that has been utilized to express the capability gained by attacker at each step in the intrusion process. These capabilities have been defined using the IDS alerts. The language also provides for the specification of compete attack scenarios in terms of capabilities of the intruder. This, in turn, helps to determine the state of the system in terms of the extent of infiltration. ACML helps to avoid ambiguity in capability specifications while sharing among developers. We also propose Attack capability modeling framework (ACMF) which forms the basis of a capability model-based semi-automated alert correlation process, which has been used to detect and identify the attack scenarios from IDS alerts. Additionally, the language also has features for customizing the definitions of these structures as well as for customizing the correlation algorithm.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Algebra for Capability Based Attack Correlation

Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate ...

متن کامل

ACMF: Framework for modeling attack based on Capability Model

In this paper, we propose Attack capability modeling framework (ACMF) which forms the basis of a capability modelbased semi-automated alert correlation process used to detect and identify the attack scenarios from IDS alerts. The framework defines the tools for the implementation of algebraic structures of capability as defined in Pandey et al. These structures are used as building blocks to sp...

متن کامل

Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach

Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...

متن کامل

Intrusion Alert Correlation Technique Analysis for Heterogeneous Log

Intrusion alert correlation is multi-step processes that receives alerts from heterogeneous log resources as input and produce a high-level description of the malicious activity on the network. The objective of this study is to analyse the current alert correlation technique and identify the significant criteria in each technique that can improve the Intrusion Detection System (IDS) problem suc...

متن کامل

Alert correlation and prediction using data mining and HMM

Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2008