To solve the problem of the aleri flooding and information semantics in theexisting Intrusion Detection Sys-tem(IDS), we present a two-stage algorithm for correlating thealerts. In the first stage- the high-level aler...To solve the problem of the aleri flooding and information semantics in theexisting Intrusion Detection Sys-tem(IDS), we present a two-stage algorithm for correlating thealerts. In the first stage- the high-level alerts is integrated by using the Chronicle patternsbased on time intervals, which describe and match the alerts with the temporal time constrains of aninput sequence. In the second stage, the preparing relationship between the high-level alerts isdefined, which is applied to eorrtlatethe high-level alerts, and the attack scenario is constructedby drawing the attack graph. In the end a given example show? the performances of this two-stagecorrelation algorithm in decreasing the number and improving the information semantic of theintrusion alerts produced by the IDS.展开更多
Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the sim...Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.展开更多
文摘To solve the problem of the aleri flooding and information semantics in theexisting Intrusion Detection Sys-tem(IDS), we present a two-stage algorithm for correlating thealerts. In the first stage- the high-level alerts is integrated by using the Chronicle patternsbased on time intervals, which describe and match the alerts with the temporal time constrains of aninput sequence. In the second stage, the preparing relationship between the high-level alerts isdefined, which is applied to eorrtlatethe high-level alerts, and the attack scenario is constructedby drawing the attack graph. In the end a given example show? the performances of this two-stagecorrelation algorithm in decreasing the number and improving the information semantic of theintrusion alerts produced by the IDS.
基金the National High Technology Research and Development Programme of China(2006AA01Z452)
文摘Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.