Dr. Peng Ning  

Intrusion Alert Correlation
Using Prerequisites and Consequences of Intrusions

[People]        [Summary]        [Software]        [Related Publications]

People

Faculty

• Peng Ning
• Douglas S. Reeves

Current Students

• Yan Zhai (PhD)

Past Students

• Yun Cui (MS)
• Yiquan Hu (MS)
• Jaideep Mahalati (MS)
• Alfredo Serrano (MS)
• Dingbang Xu (PhD)

Project Summary

Intrusion detection has been studied for about twenty years since the Anderson's report. However, intrusion detection techniques are still far from perfect. Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. 

In this project, we seek a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones. In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. The proposed approach identifies the prerequisite (e.g., existence of vulnerable services) and the consequence of each type of attacks, and correlates the corresponding alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. The proposed approach has several advantages. First, it provides a high-level representation of the correlated alerts, and thus reveals the structure of series of attacks. Second, it can reduce the impact of false alerts by only keeping correlated alerts. Third, it can potentially be applied to predict attacks in progress, and allows the intrusion response systems to take appropriate actions to stop the on-going attacks. Similarly, it can potentially be applied to identify attacks possibly missed by the IDSs, and thus help human users to further investigate and improve the underlying IDSs.

Related Software

• TIAA: A Toolkit for Intrusion Alert Analysis

Related Publications

1. Dingbang Xu, Peng Ning, "A Flexible Approach to Intrusion Alert Anonymization and Correlation," To appear in Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006), August 2006.
2. Dingbang Xu, Peng Ning, "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach," in Proceedings of the 21st Annual Computer Security Applications Conference, pages 489-498, December 2005.
3. Peng Ning, Dingbang Xu, "Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems," ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 4, pages 591--627, November 2004.
4. Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning about Complementary Intrusion Evidence," To appear in Proceedings of 20th Annual Computer Security Applications Conference , December 2004.
5. Dingbang Xu, Peng Ning, "Alert Correlation through Triggering Events and Common Resources," To appear in Proceedings of 20th Annual Computer Security Applications Conference, December 2004.
6. Peng Ning, Yun Cui, Douglas Reeves, and Dingbang Xu, "Tools and Techniques for Analyzing Intrusion Alerts," in ACM Transactions on Information and System Security, Vol. 7, No. 2, pages 273--318, May 2004.
7. Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert A. St. Amant, "Building Attack Scenarios through Integration of Complementary Alert Correlation Methods," in the Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04), pages 97--111, February, 2004.
8. Yiquan Hu, "TIAA: A Toolkit for Intrusion Alert Analysis," MS Thesis, North Carolina State University, December 2003.
9. Peng Ning, Dingbang Xu, "Learning Attack Strategies from Intrusion Alerts," in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pages 200--209, Washington D.C., October, 2003.
10. Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu, "Towards Automating Intrusion Alert Analysis," in 2003 Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, September 2003. (Invited paper that summarizes our previous work on intrusion alert analysis.)
11. Peng Ning, Dingbang Xu, "Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation," in Proceedings of the 17th IFIP WG 11.3 Working Conference on Data and Application Security (to appear), August, 2003.
12. Peng Ning, Kun Sun, "How to Misuse AODV: A Case Study of Insider Attacks against Mobile Ad-hoc Routing Protocols," in Proceedings of the 4th Annual IEEE Information Assurance Workshop, pages 60-67, West Point, June 2003.
13. Alfredo Serrano, "Integrating Alerts from Multiple Homogeneous Intrusion Detection Systems," MS Thesis, North Carolina State University, May 2003.
14. Yun Cui, "A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks," MS Thesis, North Carolina State University, December 2002.
15. Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," in Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002. (Full Version) (Acceptance ratio: 27/153)
16. Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), LNCS 2516, pages 74--94, Zurich, Switzerland, October 2002. (Acceptance ratio: 16/64)

Sponsors