Cyber Defense Laboratory

 
 

TIAA: A Toolkit for Intrusion Alert Analysis

Introduction

This tool is designed to facilitate the interactive analysis of alerts reported by Intrusion Detection System (IDS). It starts as a prototype system we developed to validate our method to correlate intrusion alerts based on the prerequisites and consequences of known attacks (See our paper in CCS '02.) Now it has been serving as a platform to test and validate our techniques for intrusion analysis. We would also like to transform our techniques into a practical tool that helps intrusion analysis in real-world applications.

TIAA is written in Java. The current version is an offline tool interacting with DBMS.

Supported Platform

This tool has been tested on Windows 2000 and XP with MS SQL server.

Current Version

Previous Versions

Related Publications

Most of these papers can be downloaded here.

  • Dingbang Xu, Peng Ning, "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach," To appear in Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05), December 2005.
  • Peng Ning, Dingbang Xu, "Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems," ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 4, pages 591--627, November 2004.
  • Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning about Complementary Intrusion Evidence," in Proceedings of 20th Annual Computer Security Applications Conference, pages 39--48, December 2004.
  • Dingbang Xu, Peng Ning, "Alert Correlation through Triggering Events and Common Resources," in Proceedings of 20th Annual Computer Security Applications Conference, pages 360--369, December 2004.
  • Peng Ning, Yun Cui, Douglas Reeves, and Dingbang Xu, "Tools and Techniques for Analyzing Intrusion Alerts," in ACM Transactions on Information and System Security, Vol. 7, No. 2, pages 273--318, May 2004.
  • Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert A. St. Amant, "Building Attack Scenarios through Integration of Complementary Alert Correlation Methods," in the Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04), pages 97--111, February, 2004.
  • Peng Ning, Dingbang Xu, "Learning Attack Strategies from Intrusion Alerts," in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pages 200--209, Washington D.C., October, 2003.
  • Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu, "Towards Automating Intrusion Alert Analysis," in 2003 Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, September 2003. (Invited paper that summarizes our previous work on intrusion alert analysis.)
  • Peng Ning, Dingbang Xu, "Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation," in Proceedings of the 17th IFIP WG 11.3 Working Conference on Data and Application Security, August, 2003.
  • Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," in Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002.
  • Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), LNCS 2516, pages 74--94, Zurich, Switzerland, October 2002.

Sponsors

This project has been generously supported by

 
 

© 2002 Peng Ning, Last Updated March 16, 2006 .