Log correlation for intrusion detection: a proof of concept

Abad, Cristina L.; Taylor, John A.; Sengul, Cigdem; Yurcik, William; Zhou, Yu; Rowe, K.

doi:10.1109/csac.2003.1254330

Cited by 62 publications

(34 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although, three major gaps lie in the studies about forecasting of cyber attacks: a) the use of few sensors and/or sensors employed locally; b) the use of just one forecasting technique; and c) lack of information sharing among sensors to be used for correlation (Pontes & Guelfi, 2009a). Correlation of information between IDPS and forecasters means looking for similar characteristics that may be related (Pontes & Guelfi, 2009a) (Abad et al, 2003). Throughout correlation it is possible to eliminate redundant and false data, to discover attack patterns and understand attack strategies (Zhay et al, 2006).…”

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

“…Multi-correlation or integration of alerts with information from different sources, e.g. tools for monitoring or operating system logs, can allow a new classification for alerts, improving accuracy of the results (Abad et al, 2003), (Zhay et al, 2006). References (Abad et al, 2003), (Zhay et al, 2006), (Zhay et al, 2004) employed multi-correlation; however neither a detailed analysis concerning influence of isolated alerts in the FP rates, nor forecasting techniques were not applied for predicting future attacks (forecasting).…”

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

“…tools for monitoring or operating system logs, can allow a new classification for alerts, improving accuracy of the results (Abad et al, 2003), (Zhay et al, 2006). References (Abad et al, 2003), (Zhay et al, 2006), (Zhay et al, 2004) employed multi-correlation; however neither a detailed analysis concerning influence of isolated alerts in the FP rates, nor forecasting techniques were not applied for predicting future attacks (forecasting). Forecasting analysis in the information security area can be similar to forecasting methodologies used in any other fields: meteorology, for instance, use sensors to capture data about temperature, humidity, etc (Lajara et al, 2007), (Lorenz, 2005); seismology employs sensors to capture electromagnetic emissions from the rocks (Bleier & Freund, 2005); for economics, specifically stock market, data is collected from diverse companies (annual profit, potential customers, assets, etc) to draw trends about shares of companies (Prechter & Frost, 2002), (Mandelbrot & Hudson, 2006).…”

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

“…Correlation techniques for security events can be classified into three categories: (1) rulebased, (2) based on anomaly and (3) based on causes and consequences (Prerequisites and Consequences (PC)) (Abad et al, 2003). The rule-based method requires some prior knowledge about the attack, so the target machine has to pass through a preparation phase called training.…”

Section: Approaches For Correlation Of Security Eventsmentioning

confidence: 99%

“…The rule-based method requires some prior knowledge about the attack, so the target machine has to pass through a preparation phase called training. The goal of this phase is to make the target machine able to precisely detect the vulnerabilities in which the target machine was trained for (Abad et al, 2003), (Mizoguchi, 2000). Gaps of rule-based method are: (1) it is computer intensive; (2) it results in lots of data; (3) the method works only for known vulnerabilities.…”

Section: Approaches For Correlation Of Security Eventsmentioning

confidence: 99%

See 4 more Smart Citations

Earthquake Prediction: Analogy with Forecasting Models for Cyber Attacks in Internet and Computer Systems

Pontes¹,

Silva²,

Guelfi³

et al. 2012

Earthquake Research and Analysis - Statistical Studies, Observations and Planning

View full text Add to dashboard Cite

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

Section: Analogy With Forecasting In Cyber Securitymentioning

confidence: 99%

Section: Approaches For Correlation Of Security Eventsmentioning

confidence: 99%

Section: Approaches For Correlation Of Security Eventsmentioning

confidence: 99%

See 3 more Smart Citations

Earthquake Prediction: Analogy with Forecasting Models for Cyber Attacks in Internet and Computer Systems

Pontes¹,

Silva²,

Guelfi³

et al. 2012

Earthquake Research and Analysis - Statistical Studies, Observations and Planning

View full text Add to dashboard Cite

A refined filter for UHAD to improve anomaly detection

Hajamydeen

Udzir

2016

Security Comm Networks

View full text Add to dashboard Cite

Filtering is used in intrusion detection to remove the insignificant events from a log to facilitate the analysis method to focus on the significant events and to minimize processing overhead. Generally, filtering is performed using filtering rules, which are framed using a set of data (training data), or the known facts on anomalous events. This knowledge‐dependent nature confines the filterer to filter‐in only the recognized anomalies in the logs, making the rest unavailable for further scrutiny. This problem has been addressed earlier by designing a filterer that manipulates the tested log data based on the patterns and volume of events to calculate the filtering threshold. Even though this filtering threshold was able to retain the anomalous events in most heterogeneous logs, it failed when such events were of high volume and also due to the inaccuracies in cluster formation. Therefore, this paper proposes a refined filterer for unsupervised heterogeneous anomaly detection that retains most anomalous events irrespective of its volume in the logs and also discusses the impact of the refined filterer in supporting the detection. The experiment conducted reveals that the refined filterer retained almost all the abnormal events thereby enabling the detection of maximum anomalies. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract