- Yun Cui (MS)
- Yiquan Hu (MS)
- Jaideep Mahalati (MS)
- Alfredo Serrano (MS)
- Dingbang Xu (PhD)
Intrusion detection has been studied for about twenty years since the
Anderson's report. However, intrusion detection techniques are still far
from perfect. Current intrusion detection systems (IDSs) usually generate
a large amount of false alerts and cannot fully detect novel attacks or
variations of known attacks. In addition, all the existing IDSs focus
on low-level attacks or anomalies; none of them can capture the logical
steps or strategies behind these attacks. Consequently, the IDSs usually
generate a large amount of alerts. In situations where there are intensive
intrusive actions, not only will actual alerts be mixed with false alerts,
but the amount of alerts will also become unmanageable. As a result, it
is difficult for human users or intrusion response systems to understand
the intrusions behind the alerts and take appropriate actions.
In this project, we seek a novel approach to address these issues. The
proposed technique is based on the observation that most intrusions are
not isolated but related as different stages of attack sequences, with
the early stages preparing for the later ones. In other words, there
are often logical steps or strategies behind series of attacks. The proposed
approach correlates alerts using prerequisites of intrusions. Intuitively,
the prerequisite of an intrusion is the necessary condition for the intrusion
to be successful. For example, the existence of a vulnerable service is
the prerequisite of a remote buffer overflow attack against the service.
The proposed approach identifies the prerequisite (e.g., existence of
vulnerable services) and the consequence of each type of attacks, and
correlates the corresponding alerts by matching the consequence of some
previous alerts and the prerequisite of some later ones. The proposed
approach has several advantages. First, it provides a high-level representation
of the correlated alerts, and thus reveals the structure of series of
attacks. Second, it can reduce the impact of false alerts by only keeping
correlated alerts. Third, it can potentially be applied to predict attacks
in progress, and allows the intrusion response systems to take appropriate
actions to stop the on-going attacks. Similarly, it can potentially be
applied to identify attacks possibly missed by the IDSs, and thus help
human users to further investigate and improve the underlying IDSs.
- Dingbang Xu, Peng Ning, "A Flexible Approach to Intrusion Alert Anonymization and Correlation," To appear in Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006), August 2006.
- Dingbang Xu, Peng Ning, "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach," in Proceedings of the 21st Annual Computer Security Applications Conference, pages 489-498, December 2005.
- Peng Ning, Dingbang Xu, "Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems," ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 4, pages 591--627, November 2004.
- Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning about Complementary Intrusion Evidence," To appear in Proceedings of 20th Annual Computer Security Applications Conference , December 2004.
- Dingbang Xu, Peng Ning, "Alert Correlation through Triggering Events and Common Resources," To appear in Proceedings of 20th Annual Computer Security Applications Conference, December 2004.
- Peng Ning, Yun Cui, Douglas Reeves, and Dingbang Xu, "Tools and Techniques for Analyzing Intrusion Alerts," in ACM Transactions on Information and System Security, Vol. 7, No. 2, pages 273--318, May 2004.
- Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert A. St.
Attack Scenarios through Integration of Complementary Alert Correlation
Methods," in the Proceedings of the 11th Annual Network
and Distributed System Security Symposium (NDSS '04), pages 97--111,
- Yiquan Hu, "TIAA: A Toolkit for Intrusion Alert Analysis," MS Thesis, North Carolina State University, December 2003.
- Peng Ning, Dingbang Xu, "Learning
Attack Strategies from Intrusion Alerts," in Proceedings
of the 10th ACM Conference on Computer and Communications Security (CCS
'03), pages 200--209, Washington D.C., October, 2003.
- Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu, "Towards
Automating Intrusion Alert Analysis," in 2003 Workshop on Statistical
and Machine Learning Techniques in Computer Intrusion Detection,
September 2003. (Invited paper that summarizes our previous work on
intrusion alert analysis.)
- Peng Ning, Dingbang Xu, "Adapting Query Optimization Techniques
for Efficient Intrusion Alert Correlation," in Proceedings of
the 17th IFIP WG 11.3 Working Conference on Data and Application Security (to appear), August, 2003.
- Peng Ning, Kun Sun, "How
to Misuse AODV: A Case Study of Insider Attacks against Mobile Ad-hoc
Routing Protocols," in Proceedings of the 4th Annual IEEE
Information Assurance Workshop, pages 60-67, West Point, June 2003.
- Alfredo Serrano, "Integrating
Alerts from Multiple Homogeneous Intrusion Detection Systems," MS Thesis, North Carolina State University, May 2003.
- Yun Cui, "A
Toolkit for Intrusion Alerts Correlation Based on Prerequisites and
Consequences of Attacks," MS Thesis, North Carolina State University,
- Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation
of Intrusion Alerts," in Proceedings of the 9th ACM Conference
on Computer & Communications Security, pages 245--254, Washington
D.C., November 2002. (Full
Version) (Acceptance ratio: 27/153)
- Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts
Via Correlation," in Proceedings of the 5th International Symposium
on Recent Advances in Intrusion Detection (RAID 2002), LNCS 2516,
pages 74--94, Zurich, Switzerland, October 2002. (Acceptance ratio:
© 2002 Peng Ning. Last Updated