Information Technology Reference
In-Depth Information
2
Related Works
Based on the level of required involvement of human security administrators, ap-
proaches to the detection of attacks on information systems can be classified into
three categories: automatic, manual, and semi-automatic. Automatic solutions work
without the need of constantly monitoring/controlling from human users and usually
their outputs are somewhat simple, i.e. they raise alerts whenever they found some-
thing suspicious. It is the responsibility of the security administrators to investigate
the alerts to verify if they are true, and to look for causes and effects of these alerts
themselves. Some popular tools in this category include Snort [1] and Bro [2]. The
main advantage of the automatic approach is that it requires the least human effort.
However, because the output of this approach is simple, it does not help administra-
tors to see the forest for the trees.
On the opposite side, techniques follow a manual approach rely on individual
human administrators' own skills and knowledge for detecting, analyzing, and under-
stand attacks. This approach is very limited and costs a significant human effort.
Moreover, because the effectiveness of this approach depends on the individual
administrators, it is not considered as a serious research topic.
At the middle point, semi-automatic solutions do some initial information pro-
cessing, present the results (mostly in visual form) to people, get their interactions,
and then repeat that information processing cycle. The important point here is that the
human user is considered an essential component in this approach. This approach
helps administrators to understand more clearly about security events that happen,
because they have to interact with the systems to get needed results. Sometimes, the
results from automatic IDSs can be utilized as a part of the input to these semi-
automatic systems and are processed to provide a high level presentation of the over-
all security status, instead of as individual alerts [3] [4]. More specific works that
target web application domain are [5] and [6].
To give administrators a bigger picture about their systems' security status, some
works in network security field propose the use of correlation methods on intrusion
alerts to combine them together in a meaningful manner. The first benefit of alerts
correlation is that it reduces the examining effort of administrators by transforming a
large set of individual alerts into a smaller set of related alerts, and allowing them to
investigate these alerts at a higher level. The second benefit is that by grouping alerts
together meaningfully, it provides a more comprehensible big picture to administra-
tors. Usually, some relationships between alerts are specified in advance; and based
on these relationships, correlation algorithms are used to group alerts together, as
described in the work of Debar and Wespi [7]. In another work, Ning et al. use “pre-
requisites” and “consequences” to chain alerts together [8]. “Prerequisites” are condi-
tions that must be satisfied for an attack to succeed, and “consequences” are possible
outcomes once an attack is executed successfully. To show the correlation results in a
more intuitive manner, the authors use visual directed graphs to display them. There is
a common requirement of the correlation techniques used in [7] and [8] that is the
rules used to combine alerts together must be defined in advance by the security ad-
ministrators. Satisfying this requirement for medium to large information systems is a
Search WWH ::
Custom Search