عنوان البحث(Papers / Research Title)
Building Scenario Graph Using Clustering
الناشر \ المحرر \ الكاتب (Author / Editor / Publisher)
صفاء عبيس مهدي المعموري
Citation Information
صفاء,عبيس,مهدي,المعموري ,Building Scenario Graph Using Clustering , Time 6/12/2011 7:08:58 AM : كلية تكنولوجيا المعلومات
وصف الابستركت (Abstract)
Building Scenario Graph Using Clustering
الوصف الكامل (Full Abstract)
Building Scenario Graph Using Clustering
Safaa O. Al- Mamory
School of Computer Science
Harbin Institute of technology
Harbin, China,
Safaa_vb@yahoo.com
Hong Li Zhang School of Computer Science Harbin Institute of technology
Harbin, China,
zhl@pact518.hit.edu.cn
Abstract
:-
The increasing use of Network Intrusion Detection Systems (NIDSs) and a relatively high false alert rate can lead to a huge volume of alerts. This makes it very difficult for security analysts to detect long run attacks.
In this paper, we have proposed a system that represents a set of alerts as subattacks. Then correlates these subattacks and generates abstracted scenario graphs (SGs) which reflect attack scenarios.We have conducted the experiments using Snort as NIDS with different datasets that contains multistep attacks. The resulted compressed SGs imply that our method can correlate related alerts, uncover the attack strategies, and can detect new variations of attacks.
Introduction
:-
When the NIDS detects a set of attacks, it will generate many alerts that refer to security breaches.
Unfortunately, the NIDS cannot deduce anything from these separated attacks. So, alert correlation is an important solution to link separated attacks, to give alerts another meaning, and to infer attack scenarios.
Alert correlation and analysis are a critical task in security management. Recently, several techniques and approaches have been proposed to correlate and analyze security alerts, most of them focus on the aggregation and analysis of raw security alerts, and build attack scenarios.
An interesting method is the work of Ning et al.[1]. They were a proposed alert correlation model based on the observation that most intrusions consist of many stages, with the early stages preparing for the later ones. They were collected alerts from NIDS, correlated off-line, and tried to draw a big picture (through SGs) of what happens in the monitored network. However, there are some shortcomings
.
Dear visitor,
For downloading the full version of the research/article click on the pdf icon above.
تحميل الملف المرفق Download Attached File
|
|