Information Technology Reference
In-Depth Information
Enhanced Correlation
in an Intrusion Detection Process
Salem Benferhat
1
, Fabien Autrel
2
, and Frederic Cuppens
3
1
CRIL CNRS Universite d'Artois
Rue Jean Souvraz SP 18 F 62307, Lens Cedex, France
2
ONERA-CERT, 2 Av. E. Belin, 31055 Toulouse Cedex, France
3
IRIT, 118 route de Narbonne, 31062 Toulouse Cedex, France
benferhat@cril.univ-artois.fr, autrel@cert.fr, cuppens@irit.fr
Abstract.
Generally, the intruder must perform several actions, orga-
nized in an
intrusion scenario
, to achieve his or her malicious objective.
Actions are represented by their
pre and post conditions
, which are a
set of logical predicates or negations of predicates. Pre conditions of an
action correspond to conditions the system's state must satisfy to per-
form the action. Post conditions correspond to the effects of executing
the action on the system's state.
When an intruder begins his intrusion, we can deduce, from the alerts
generated by IDSs, several possible scenarios, by
correlating attacks
, that
leads to multiple intrusion objectives. However, with no further analy-
sis, we are not able to decide which are the most plausible ones among
those possible scenarios. We propose in this paper to define
an order
over the possible scenarios
by
weighting the correlation relations between
successive attacks
composing the scenarios. These weights reflect to what
level executing some actions are necessary to execute some action
B
.We
will see that to be satisfactory, the comparison operator between two
scenarios must satisfy some properties.
1
Introduction
The main objective of computer security is to design and develop computer
systems that conform to the specification of a security policy. A security policy
is a set of rules that specify the authorizations, prohibitions and obligations of
agents (including both users and applications) that can access to the computer
system. An intruder (also called hacker or cracker) might be viewed as a malicious
agent that tries to violate the security policy. Thus, an intrusion is informally
defined as a deliberate attempt to violate the security policy.
Sometimes the intruder might perform his intrusion by using a single action.
For instance, performing a deny of service using the
ping of death
attack simply
requires sending a too long IP packet. However, more complex intrusions gen-
erally require several steps to be performed [9,6,7]. For instance, let us consider
the
Mitnick
attack. There are two steps in this attack. In the first step, the in-
truder floods a given host
H
. Then the intruder sends spoofed SYN messages
