A Toolkit for Intrusion Alert Analysis
This tool is designed to facilitate
the interactive analysis of alerts reported by Intrusion Detection
System (IDS). It starts as a prototype system we developed to validate
our method to correlate intrusion alerts based on the prerequisites
and consequences of known attacks (See our paper
in CCS '02.) Now it has been serving as a platform to test and
validate our techniques for intrusion analysis. We would also like
to transform our techniques into a practical tool that helps intrusion
analysis in real-world applications.
TIAA is written in Java. The current version is an
offline tool interacting with DBMS.
This tool has been tested on
Windows 2000 and XP with MS SQL server.
Most of these papers can be downloaded here.
- Dingbang Xu, Peng Ning, "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach," To appear in Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05), December 2005.
- Peng Ning, Dingbang Xu, "Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems," ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 4, pages 591--627, November 2004.
- Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning about Complementary Intrusion Evidence," in Proceedings of 20th Annual Computer Security Applications Conference, pages 39--48, December 2004.
- Dingbang Xu, Peng Ning, "Alert Correlation through Triggering Events and Common Resources," in Proceedings of 20th Annual Computer Security Applications Conference, pages 360--369, December 2004.
- Peng Ning, Yun Cui, Douglas Reeves, and Dingbang Xu, "Tools and Techniques for Analyzing Intrusion Alerts," in ACM Transactions on Information and System Security, Vol. 7, No. 2, pages 273--318, May 2004.
- Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert A. St.
Amant, "Building Attack Scenarios through Integration of Complementary
Alert Correlation Methods," in the Proceedings of the 11th
Annual Network and Distributed System Security Symposium (NDSS '04),
pages 97--111, February, 2004.
- Peng Ning, Dingbang Xu, "Learning Attack Strategies from
Intrusion Alerts," in Proceedings of the 10th ACM Conference
on Computer and Communications Security (CCS '03), pages 200--209,
Washington D.C., October, 2003.
- Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu, "Towards
Automating Intrusion Alert Analysis," in 2003 Workshop
on Statistical and Machine Learning Techniques in Computer Intrusion
Detection, September 2003. (Invited paper that summarizes our
previous work on intrusion alert analysis.)
- Peng Ning, Dingbang Xu, "Adapting Query Optimization Techniques
for Efficient Intrusion Alert Correlation," in Proceedings
of the 17th IFIP WG 11.3 Working Conference on Data and Application
Security, August, 2003.
- Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack
Scenarios through Correlation of Intrusion Alerts," in Proceedings
of the 9th ACM Conference on Computer & Communications Security,
pages 245--254, Washington D.C., November 2002.
- Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive
Intrusion Alerts Via Correlation," in Proceedings of the
5th International Symposium on Recent Advances in Intrusion Detection
(RAID 2002), LNCS 2516, pages 74--94, Zurich, Switzerland,
This project has been generously supported by