Information Technology Reference
In-Depth Information
corresponding to
H
address to establish a TCP connection with a given server
S
.
When
S
sends a SYN-ACK message,
H
would normally send a RESET message
to close the connection. But this is not possible since
H
is flooded. This enables
the intruder to send an ACK message to illegally open a connection with
S
. No-
tice also that opening a TCP connection with
S
is probably not the intruder's
final objective. It is likely that the intruder will then attempt to get an access on
S
for instance by performing a
rlogin
. This means that the
Mitnick
attack will
actually represent preliminary steps of a more global intrusion. In the following,
we shall call
intrusion scenario
the complete sequence of actions that enables
the intruder to achieve his intrusion objective.
In [1,2] a notion of attack correlation, which allows to recognize various steps
of an intrusion scenario, has been defined. Then an approach, based on attack
correlation, which recognizes if a sequence of correlated actions can lead to an
intrusion objective (
malicious intention recognition
) has been developped. This
approach allows to build a set of possible scenario instances compatible with
observations generated by IDSs.
The proposed approach in [1,2] is not satisfactory. Indeed, the number of
possible scenarios can be high, and no additional information is provided to the
system administrator to distinguish between the most plausible scenarios and
the less plausible ones.
This paper proposes a new approach to alert correlation which allows to rank
order different possible scenarios. We first enrich the representation of action by
also considering the detection time of each action. We distinguish two kinds of
influence relations between two actions:
-
positive influence relation where the realisation of an action
A
may lead to
the realisation of an action
B
.
-
negative influence relation where the realisation of action
A
blocks the real-
isation of
B
Then, we associate with each action
A
a weight which represents the plausibility
of realisation of action
A
, given the fact that some actions (which may directly
influence
A
) have been achieved. These weights will allow us to compare and
rank-order different scenarios.
The rest of this paper is organized as follows. Section 2 introduces the repre-
sentation of actions and scenarios. These representations are simple extensions
of those used in [1] taking into account the notion of detection time. Section
3 presents an example and illustrates the need for defining methods to limit
the number of possible scenarios. Section 4 presents the weighted correlation
approach.
2 Modelling the Intrusion
In order to model the intrusion process, we extend the material defined in [1].
We consider that the intruder can use a set of actions to achieve his intrusion
objective, more precisely he must find a subset of actions that allows him to
