TIAA: A Toolkit for Intrusion Alert Analysis
(Version 0.3) What's new
- GUI
- System support for interactive analysis
- Faster correlation (by adapting main memory index structures and
query optimization techniques)
- Additional representation of correlated alerts
- chronological correlation graph
- Reorganize, generalize and add a few analysis utilities:
- Hyper-alert generating utilities
- hyper-alert aggregation/disaggregation
- clustering analysis
- focused analysis
- Feature extraction utilities
- link analysis
- frequency analysis
Supported Platforms
This tool has been tested on Windows XP with MS SQL
server 2000.
Download
Please try version 1.0.
Test Data and Execution Procedure
- Download this sql statement and execute
it in the database to create a target table "events";
- Download any of these alert datasets [scenario 1 (dmz,
inside), scenario 2 (dmz,
inside)] generated by RealSecure,
the data source is DARPA evaluation dataset 2000. You can import
it into MS SQL server with the command "bulk insert events
from 'file path' with (FIELDTERMINATOR=',');";
- Download the sample knowledge base XML
file and its schema;
- Download the sample property
file, name it "Correlator.properties" and make some configuration
changes (change the dbDriver and dbURL and various file paths: knowledge
base path, Original_Graph_Output, ...)
Checklist before you run this tool
- Java 1.4
- MS SQL Server and JDBC driver
- Xerces Java Parser v1.4.1 (You can get it from Apache's website.)
- GraphViz (You can get it from AT&T's website.
)
Document Main contributors
- Yiquan Hu
- Dingbang Xu
- Pai Peng
Sample Screenshots 
A hyper-alert correlation graph 
A chronological correlation graph 
Link analysis |
|
