Cyber Defense Laboratory

 

 

TIAA: A Toolkit for Intrusion Alert Analysis
(Version 1.0)

What's new

We have revised the program code to make it efficient for large dataset analysis. We revised in-memory correlation, graph partition, graph visualization (output), focused analysis, clustering analysis, aggregation analysis, attack strategy extraction, etc. 

To facilitate alert correlation, especially for prerequisite (pre-condition) and consequence (post-condition) based methods, we have developed a comprehensive knowledge base for all snort alert types (nearly 3,000 different types).

Supported Platforms

This tool has been tested on Windows XP with MS SQL server 2000.

Download

  • TIAA can be downloaded here (all class files). 
  • Knowledge base for Snort (Note that this knowledge base was compiled in 2005. Some types do not apply any more due to the changes in Snort rule sets.)

Test Data and Execution Procedure

  • For the alert data generated by Snort network sensors: 

Use Snort to analysis the traffic data and collect all alerts. Download the sample knowledge base XML file (for Snort alert types) and its schema. Download the sample property file (Comment the attributes for RealSecure, and uncomment the attributes for Snort). Proceed to use TIAA to analyze alerts.

  • For the alert data generated by RealSecure network sensors: 
  1. Download this sql statement and execute it in the database to create a target table "events";
  2. Download  any of these alert datasets [scenario 1 (dmz, inside), scenario 2 (dmz, inside)] generated by RealSecure, the data source is DARPA evaluation dataset 2000. You can import it into MS SQL server with the command "bulk insert events from 'file path' with (FIELDTERMINATOR=',');";
  3. Download the sample knowledge base XML file and its schema;
  4. Download the sample property file;
  5. Use the command "java edu.ncsu.tiaa.gui.GUI" to run the program;
  6. For aggregation analysis and attack strategy extraction, if applying an abstraction hierarchy, download a sample abstraction hierarchy file here;
  7. For missed attack hypotheses, please use Ethereal to analyze the tcpdump file and save the analysis result (packet summary) into a text file. For your convenience, you can also download sample analysis results here [inside1 packet analysis summary, dmz1 packet analysis summary].

Checklist before You Run this Tool

  • Java 1.4 or above
  • MS SQL Server 2000 and JDBC driver
  • Xerces Java Parser v2.7.1 (You can get it from Apache's website)
  • GraphViz (You can get it from AT&T's website)
  • Ethereal (not necessary if you have downloaded our sample analysis results) (You can get Ethereal from Ethereal website

Overview of Revisions to TIAA Version 0.4

In this version, our goal is to make TIAA efficient in analyzing large alert datasets. We observed that the efficiency of alert analysis largely depends on (1) the interaction between database systems and our java programs, and (2) the efficiency of database operations. To improve the efficiency of TIAA, it is crucial to reduce the time for both operations. So, we revised the in-memory correlation to make it appropriate for large dataset correlation. We also revised other utilities such as graph partition, graph visualization, focused analysis, clustering analysis, aggregation analysis and attack strategy extraction to reduce the interaction between databases and our programs as well as the time-consuming database operations such as table joins. We have tested our programs using the datasets from our campus network and DEF CON 9 datasets. Here we give some example correlation graphs or aggregated correlation graphs from our experiments (some graphs may be partial due to space constraints).

A correlation graph discovered in our campus network (click to expand the graph)

An aggregated correlation graph in DEF CON 9 datasets (click to expand)

An aggregated correlation graph in DEF CON 9 datasets (click to expand)

An aggregated correlation graph in DEF CON 9 datasets (click to expand)

New Comprehensive Knowledge Base for Snort Alert Types

To perform prerequisite (pre-condition) and consequence (post-condition) based alert correlation, it is crucial to specify the prerequisites and consequences for alert types. We have studied nearly 3,000 alert types reported by Snort, and specified the prerequisite and consequence for each of them. A subset of these alert types can be found here (around 380 alert types). A more complete knowledge base can be found here. (Note that this knowledge base was compiled in 2005. Some types do not apply any more due to the changes in Snort rule sets.)

Document

Main Contributor

Other Contributors

 


Copyright 2005 North Carolina State University. All rights reserved. 
Last Updated August 4, 2007 .