Information Technology Reference
In-Depth Information
and aggregation function in detail to parameterize the algorithm. Finally, we tested the
capabilities and analyzed the influence of the parameters by using a real data set of
alerts generated from our university network.
The algorithm is implemented and tested based on real data. As this data set is still
small, we want to conduct more experiments using larger data sets. Running multiple
attacks against the secured network that (partially) cover the AG is also useful to analyze
the efficiency and performance of the algorithm. Although the
srcdst
based matching
filters about
of the alerts, it might still be possible to improve this matching by
using attack categories or ontologies. This can improve the filtering without getting
inaccurate in the results. Furthermore, the algorithm needs some computing power to
consume, especially the Floyd-Warschall algorithm. This can be improved by providing
a multi-core-compliant version of the algorithm. Apart from IDMEF alerts, there are
additional data sources (e.g., log files) that can be used for AG-based correlation. It
should be supported by a more flexible mapping function.
95%
References
1. Northcutt, S., Novak, J.: Network Intrusion Detection: An Analyst's Handbook. New Riders
Publishing, Thousand Oaks (2002)
2. Kruegel, C., Valuer, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and So-
lutions. AIS, vol. 14. Springer, Heidelberg (2005)
3. Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A Logic-based Network Security Ana-
lyzer. In: Proceedings of 14th USENIX Security Symposium, p. 8. USENIX Association,
Baltimore (2005)
4. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggrega-
tion. In: Proceedings of Workshop on Visualization and Data Mining for Computer Security
(VizSEC/DMSEC 2004), pp. 109-118. ACM, Washington DC (2004)
5. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlation, hypothesizing, and pre-
dicting intrusion alerts. Journal of Computer Communications 29(15), 2917-2933 (2006)
6. Roschke, S., Cheng, F., Meinel, C.: A Flexible and Efficient Alert Correlation Platform for
Distributed IDS. In: Proceedings of the 4th International Conference on Network and System
Security (NSS 2010), pp. 24-31. IEEE Press, Melbourne (2010)
7. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Anal-
ysis of Attack Graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy
(S&P 2002), pp. 273-284. IEEE Press, Washington, DC (2002)
8. Sadoddin, R., Ghorbani, A.: Alert Correlation Survey: Framework and Techniques. In: Pro-
ceedings of the International Conference on Privacy, Security and Trust (PST 2006), pp.
1-10. ACM Press, Markham (2006)
9. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format, In-
ternet Draft. Technical Report, IETF Intrusion Detection Exchange Format Working Group
(July 2004)
10. Mitre
Corporation:
Common
vulnerabilities
and
exposures
CVE
Website,
http://cve.mitre.org/
(accessed March 2009)
11. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Me, L., Wespi, A. (eds.)
RAID 2001. LNCS, vol. 2212, pp. 54-68. Springer, Heidelberg (2001)
12. Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans-
actions on Information and System Security 6(4), 443-471 (2003)
Search WWH ::
Custom Search