{"title":"Scenario Discovery Using Abstracted Correlation Graph","authors":"S. Al-Mamory, Hongli Zhang","doi":"10.1109/CIS.2007.21","DOIUrl":null,"url":null,"abstract":"Safaa O. Al-Mamory Hong Li Zhang School of Computer Science, School of Computer Science, Harbin Institute of technology, Harbin Institute of technology, Harbin, China Harbin, China Safaa_vb@yahoo.com zhl@pact518.hit.edu.cn Abstract Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. These correlation techniques have different strengths and limitations. However, all of them depend heavily on the underlying network intrusion detection systems (NIDSs) and perform poorly when the NIDSs miss critical attacks. In this paper, a system was proposed to represents a set of alerts as subattacks. Then correlates these subattacks and generates abstracted correlation graphs (CGs) which reflect attack scenarios. It also represents attack scenarios by classes of alerts instead of alerts themselves to reduce the rules required and to detect new variations of attacks. The experiments were conducted using Snort as NIDS with different datasets which contain multistep attacks. The resulted CGs imply that our method can correlate related alerts, uncover the attack strategies, and can detect new variations of attacks.","PeriodicalId":127238,"journal":{"name":"2007 International Conference on Computational Intelligence and Security (CIS 2007)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 International Conference on Computational Intelligence and Security (CIS 2007)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CIS.2007.21","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
Safaa O. Al-Mamory Hong Li Zhang School of Computer Science, School of Computer Science, Harbin Institute of technology, Harbin Institute of technology, Harbin, China Harbin, China Safaa_vb@yahoo.com zhl@pact518.hit.edu.cn Abstract Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. These correlation techniques have different strengths and limitations. However, all of them depend heavily on the underlying network intrusion detection systems (NIDSs) and perform poorly when the NIDSs miss critical attacks. In this paper, a system was proposed to represents a set of alerts as subattacks. Then correlates these subattacks and generates abstracted correlation graphs (CGs) which reflect attack scenarios. It also represents attack scenarios by classes of alerts instead of alerts themselves to reduce the rules required and to detect new variations of attacks. The experiments were conducted using Snort as NIDS with different datasets which contain multistep attacks. The resulted CGs imply that our method can correlate related alerts, uncover the attack strategies, and can detect new variations of attacks.
Safaa O. Al-Mamory Hong Li Zhang哈尔滨工业大学计算机科学学院哈尔滨,中国哈尔滨Safaa_vb@yahoo.com zhl@pact518.hit.edu.cn摘要入侵警报关联技术将警报关联到有意义的组或攻击场景中,以便于人类分析人员理解。这些相关技术有不同的优点和局限性。然而,它们都严重依赖于底层的网络入侵检测系统(nids),当nids错过关键攻击时,它们的性能很差。本文提出了一种将一组警报表示为子攻击的系统。然后将这些子攻击进行关联,生成反映攻击场景的抽象关联图(CGs)。它还按警报类别(而不是警报本身)表示攻击场景,以减少所需的规则并检测新的攻击变体。实验使用Snort作为包含多步骤攻击的不同数据集的NIDS进行。结果表明,我们的方法可以将相关警报关联起来,揭示攻击策略,并可以检测到新的攻击变化。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
