Enhanced Correlation in an Intrusion Detection Process - Computer Network Security

Information Technology Reference

In-Depth Information

- Name ( Param 1 , P aram 2 , ..., P aram n ): a functionnal expression represent-

ing the name of the objective and its parameters

- StateCondition: conjunction of predicates the system's state verify when the

objective is reached.

For example the intrusion objective DOS on DNS ( Host ) is reached when

the two following predicates are satisfied: dns server ( Host ) and dos ( Host ).

They signify respectively that Host is a DNS server and that Host is not avail-

able. Fig. 2 shows another example of intrusion objective modeling. The intrusion

objective illegal file access is achieved when an agent obtains a read access to a

file while he is not allowed to do so.

Intrusion Objective illegal file access ( File )

State Condition: read access ( Agent, F ile ) ,

not ( authorized ( Agent, read, F ile ))

Fig. 2. Illegal file access intrusion objective

2.3 Representing Domain Knowledge or System's State

Domain knowledge or system's state, denoted by K , contains available informa-

tion about the system. It is represented by a set of predicates. For instance, do-

main

knowledge

K

can

be

equal

to

{file ( secret file ),

printer ( ppt ),

physical access ( bad guy, ppt )

, which means that secret file is a file, ppt is

a printer and that the agent bad guy has access to the printer ppt .

}

2.4 Action Correlations

For the intruder, once the intrusion scenario and the intrusion objective have

been defined, the set of actions necessary to achieve its goal is defined and fixed.

On the intrusion detection point of view, we must find among a big amount

of intrusion alerts a set of alerts that lead to an intrusion objective. For this

purpose we define action correlation. Action correlation allows us to say that if

an action A is correlated with an action B , then A may have an influence over

the realisation of B .

Let E and F be two logical expressions having the following form 1 :

- E = expr E 1 , expr E 2 , ..., expr E m

- F = expr F 1 , expr F 2 , ..., expr F n

where each expr E i (resp expr F i ) is either a predicate or a negation of predicate,

namely expr E i (resp expr F i ) must have one of the following forms:

1 Notice that we assume that these two expressions do not include disjunctions. This

is a restriction which is used to simplify definitions of correlation. Generalising cor-

relation definitions to take into account disjunctions represents further work that

remains to be done.

Computer Network Security

Search WWH ::

Custom Search

Home