Abstract
We propose a novel framework named Hidden Colored Petri-Net for Alert Correlation and Understanding (HCPN-ACU) in intrusion detection system. This model is based upon the premise that intrusion detection may be viewed as an inference problem – in other words, we seek to show that system misusers are carrying out a sequence of steps to violate system security policies in some way, with earlier steps preparing for the later ones. In contrast with prior arts, we separate actions from observations and assume that the attacker’s actions themselves are unknown, but the attacker’s behavior may result in alerts. These alerts are then used to infer the attacker’s actions. We evaluate the model with DARPA evaluation database. We conclude that HCPN-ACU can conduct alert fusion and intention recognition at the same time, reduce false positives and negatives, and provide better understanding of the intrusion progress by introducing confidence scores.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Armstrong, D., Carter, S., Frazier, G., Frazier, T.: A Controller-Based Autonomic Defense System. In: Proc. of DARPA Information Survivability Conference and Exposition (DISCEX) (2003)
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99-TR- 028 (1999)
J.: P Anderson: Computer Security Threat Monitoring and Surveillance. Technical report, James P Anderson Co., Fort Washington, Pennsylvania (April 1980)
Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: 6th ACM Conference on computer and communications security, November 1999, pp. 1–7 (1999)
Barbara, D., Jajodia, S.: Applications of Data Mining in Computer Security, June 2002. Kluwer Academic Pub., Dordrecht (2002)
de Boer, R.C.: A Generic Architecture for Fusion-Based Intrusion Detection Systems. Master Thesis, Erasmus University Rotterdam (October 2002)
Cuppens, F., Autrel, F., Miège, A., Benferhat, S.: Correlation in an intrusion detection process. Internet Security CommunicationWorkshop (SECI 2002) (Septembre 2002)
Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: IEEE Symposium on Security and Privacy (May 2002)
Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: 17th Annual Computer Security Applications Conference, New-Orleans, USA (December 2001)
Debar, H., Wespi, A.: Aggregration and Correlation of Intrusion-Detection Alerts. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion detection (RAID) (2001)
Frincke, D., Tobin, D., Ho, Y.: Planning, Petri Nets, and Intrusion Detection. In: Proceedings of the 21st National Information Systems Security Conference (NISSC 1998)s (1998)
Geib, C., Goldman, R.: Plan Recognition in Intrusion Detection Systems. In: DARPA Information Survivability Conference and Exposition (DISCEX) (June 2001)
Goldman, R.P., Heimerdinger, W., Harp, S., Geib, C.W., Thomas, V., Carter, R.: Information Modeling for Intrusion Report Aggregation. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX) (June 2001)
Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of Sensor Alert Correlators. IEEE Security and Privacy 1(1), 46–56 (2003)
Huang, M.-Y., Wicks, T.M.: A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. In: Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID 1998) (1998)
Ilgun, K., Kemmerer, R., Porras, P.: State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering 21(3) (March 1995)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002, pp. 366–375 (2002)
Jensen, K.: An Introduction to the Theoretical Aspects of Coloured Petri Nets. In: de Bakker, J.W., de Roever, W.-P., Rozenberg, G. (eds.) REX 1993. LNCS, vol. 803, pp. 230–272. Springer, Heidelberg (1994)
Jensen, K.: Colored Petri-Nets–Basic Concepts, Analysis Methods, and Practical Use, 2nd edn., vol. 1. Springer, Heidelberg (1996)
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th ACSAC, New Orleans (December 2001)
Kristensen, L.M., Christensen, S., Jensen, K.: The practitioner’s guide to coloured Petri nets. Int. Journal on Software Tools for Technology Transfer 2, 98–132 (1998)
Kumar, S., Spafford, E.H.: A Pattern-Matching Model for Intrusion Detection. In: Proceedings of the National Computer Security Conference (1994)
Kumar, S., Spafford, E.: A Pattern Matching Model for Misuse Intrusion Detection. In: 17th National Computer Security Conference (1994)
Lincoln Lab, MIT. DARPA 2000 intrusion detection evaluation datasets (2000), http://ideval.ll.mit.edu/2000index.html
Moon, T.: The Expectation-Maximization algorithm. IEEE Signal Processing Magazine, 47–60 (November 1996)
Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)
Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer & Communications Security, pp. 245–254 (November 2002)
Ning, P., Reeves, D.S., Cui, Y.: Correlating Alerts Using Prerequisites of Intrusions. Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science (December 2001)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Proceedings Recent Advances in Intrusion Detection, October 2002, pp. 95–114 (2002)
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (October 1997)
Simonoff, J.S.: Smoothing Methods in Statistics. Springer, Heidelberg (1998)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38 (2001)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (2001)
Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, and Cybernetics 31(4), 266–274 (2001)
Ye, N., Giordano, J., Feldman, J., Zhong, Q.: Information Fusion Techniques for Network Intrusion Detection. In: IEEE InformationTechnology Conference, Information Environment for the Future (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yu, D., Frincke, D. (2004). A Novel Framework for Alert Correlation and Understanding. In: Jakobsson, M., Yung, M., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2004. Lecture Notes in Computer Science, vol 3089. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24852-1_33
Download citation
DOI: https://doi.org/10.1007/978-3-540-24852-1_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22217-0
Online ISBN: 978-3-540-24852-1
eBook Packages: Springer Book Archive