Information Technology Reference
In-Depth Information
alert with a previous alert by tracking back to find alerts whose consequences
imply the current alerts prerequisites. Another feature is that if the correlation
algorithm is run in reverse, predictions of future attacks can be obtained.
In implementing basic correlation algorithms using attack graphs, it was dis-
covered that the output could be poor when the underlying IDS produced false
negative alerts. This could cause scenarios to be split apart as evidence sugges-
tive of a link between two scenarios is missing. This problem has been addressed
in various systems [8,6] by adding the ability to hypothesise the existence of the
missing alerts in certain cases. [7] go as far as to use out of band data from a
raw audit log of network trac to help confirm or deny such hypotheses.
While the meaning of correlated alerts and predicted alerts is clear, hypoth-
esised results are less easy to interpret. Presence of hypothesised alerts could
mean more than just losing an alert, it could mean either of:
1. The IDS missed the alert due to some noise, packet loss, or other low level
sensor problem
2. The IDS missed the alert because a novel variation of a known attack was
used
3. The IDS missed the alert, because something not covered by the attack graph
happened (totally new exploit, or new combination of known exploits)
This work is motivated specifically by the problem of finding novel variations
of attacks. The basic approach is to apply AIS techniques to detect packets
which contain such variations. A correlation algorithm is taken advantage of to
provide additional safe/dangerous context signals to the AIS which would enable
it to decide which packets to examine. The work aims to integrate a novel AIS
component with existing intrusion detection and alert correlation systems in
order to gain additional detection capability.
2
Background
2.1
Intrusion Alert Correlation
Although the exact implementation details of attack graphs algorithms vary, the
basic correlation algorithm takes an alert and an output graph, and modifies the
graph by addition of vertices and/or edges to produce an updated output graph
reflecting the current state of the monitored network system.
For the purposes of discussion, an idealised form of correlation output is de-
fined which hides specific details of the correlation algorithm from the AIS com-
ponent. This model, while fairly simple, adequately maps to current state of the
art correlation algorithms.
Firstly, as in [8], exploits are viewed as a 3-tuple ( vuln,src,dst ) where vuln is
the identity of a know exploit and src and dst refer to two hosts which must be
connected for the exploit to be carried out accross the network. An injective func-
tion “f” ( ALERT
EXPLOIT ). This is because there may be several varia-
tions of a single exploit, each requiring a different signature from the underlying
→
 
Search WWH ::




Custom Search