Cyber Defense Laboratory

  
 

Intrusion Alert Correlator (Version 0.2)

Introduction

This tool is designed to correlate the alerts reported by commercial Intrusion Detection System (IDS) using the prerequisites and consequences of hyper alerts defined in knowledge base. The tool is written in Java.

The current release is an offline tool interacted with DBMS.

Supported Platforms

This tool has been tested in Windows 2000 with MS SQL server.

Download

Please try version 1.0

Test Data and Execution Procedure

1. Download this sql statement and execute it in the database to create a target table "events";

2. Download  any of these alert datasets [scenario 1 (dmz, inside), scenario 2 (dmz, inside)] generated by RealSecure, the data source is DARPA evaluation dataset 2000. You can import it into MS SQL server with the command "bulk insert events from 'file path' with (FIELDTERMINATOR=',');";

3. Download the sample knowledge base XML file and its schema;

4. Download the sample property file, name it "Correlator.properties" and make some configuration changes (change the dbDriver and dbURL and various file paths: knowledge base path, Original_Graph_Output, ...);

5. Run the tool using the command "java Correlator -Correlation userName password";

6. Using GraphViz to generate the graphs (dot -Tps darpa_dmz1.txt -o outputFile.ps). The file name "darpa_dmz1.txt" is specified in "Correlator.properties". 

Results

You can expect six graphs for dmz part of scenario 1, one graph for inside part of scenario 1, two graphs for dmz part of scenario 2 and two graphs for inside part of scenario 2.

Checklist before you run this tool

· Java

· DBMS

· Xerces Java Parser v1.4.1 (You can get it from Apache's website.)

· GraphViz (You can get it from ATT's website. )

Document

· Installation & Operation Manual [pdf]

· Java API for this tool can be found here.

Related Publications

· Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," To appear in the 9th ACM Conference on Computer & Communications Security, Washington D.C., November 2002. (Full Version)

· Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," To appear in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, October 2002.

Contributors

· Dr. Peng Ning

· Yun Cui

Sponsors

 

  
 

© 2002 Yun Cui, Last Updated 10/23/2002