عنوان البحث(Papers / Research Title)
Scenario Discovery Using Abstracted Correlation Graph
الناشر \ المحرر \ الكاتب (Author / Editor / Publisher)
صفاء عبيس مهدي المعموري
Citation Information
صفاء,عبيس,مهدي,المعموري ,Scenario Discovery Using Abstracted Correlation Graph , Time 6/12/2011 10:09:10 AM : كلية تكنولوجيا المعلومات
وصف الابستركت (Abstract)
Scenario Discovery Using Abstracted Correlation Graph
الوصف الكامل (Full Abstract)
Scenario Discovery Using Abstracted Correlation Graph
Safaa O. Al- Mamory School of Computer Science,Harbin Institute of technology,Harbin,Safaa_vb@yahoo.com
Hong Li Zhang
School of Computer Science Harbin Institute of technology China Harbin, China
zhl@pact518.hit.edu.cn
Abstract:-
Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. These correlation techniques have different strengths and limitations. However, all of them depend heavily on the underlying network intrusion detection systems (NIDSs) and perform poorly when the NIDSs miss critical attacks. In this paper, a system was roposed to represents a set of alerts as subattacks. Then correlates these subattacks and generates abstracted correlation graphs (CGs) which reflect attack scenarios. It also represents attack scenarios by classes f alerts instead of alerts themselves to reduce the rules required and to detect new variations of attacks. he experiments were conducted using Snort as NIDS with different datasets which contain multistep ttacks. The resulted CGs imply that our method can correlate related alerts, uncover the attack strategies, and can detect new variations of attacks.
Introduction:-
When the NIDS detects a set of attacks, it will generate many alerts that refer to security breaches. Unfortunately, the NIDS cannot deduce anything from these separated attacks. So, alert correlation is n important solution to link separated attacks, to give alerts another meaning, and to infer attack cenarios. Alert correlation and analysis is a critical task in security management. Recently, several echniques and approaches have been proposed to correlate and analyze security alerts, most of them ocus on the aggregation and analysis of raw security alerts, and build attack scenarios. An interesting ethod is the work of Ning et al. [1]. They were a proposed alert correlation model based on the bservation that most intrusions consist of many stages, with the early stages preparing for the later ones. They were collected alerts from NIDS, correlated off-line, and tried to draw a big picture through CGs) of what happens in the network. However, there are some shortcomings associated with his method:
1. The graph explosion problem that occurs in the generated CGs makes the resulted graphs complex and hard to understand.
2. Huge number of rules used to draw these graphs representing alerts prerequisites and consequences.3. The affects of the missed attacks by NIDS resulted graphs that yield separated CGs.
Dear visitor,
For downloading the full version of the research/article click on the pdf icon above.
تحميل الملف المرفق Download Attached File
|
|