M2D2: A Formal Data Model for IDS Alert Correlation

Morin, Benjamin; Mé, Ludovic; Debar, Hervé; Ducassé, Mireille

doi:10.1007/3-540-36084-0_7

Cited by 179 publications

(90 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…A description of the network installation is required and can be, for example, specified in a formal model such as M2D2 [MMDD02] or using hypergraphs [Vi03].…”

Section: Passive Verificationmentioning

confidence: 99%

Using Alert Verification to Identify Successful Intrusion Attempts

Kruegel¹,

Robertson²,

Vigna³

2004

PIK - Praxis der Informationsverarbeitung und Kommunikation

View full text Add to dashboard Cite

Abstract:An important task of alert correlation is the aggregation of alerts to provide a high-level view (i.e., the "big picture") of malicious activity on the network. Unfortunately, when the correlation process receives false positives as input, the quality of the results can degrade significantly. Correlating alerts that refer to failed attacks can easily result in the detection of whole attack scenarios that are non-existent.The idea of alert verification is to discriminate between successful and failed intrusion attempts (both false and non-relevant positives). This is important for the correlation process, because, although a failed attack indicates malicious intent, it does not provide increased privileges or any additional information (other than that an attacker learned that the particular attack is ineffective). The goal of the alert verification component is to identify and appropriately tag (or even remove) alerts that represent failed attacks. This allows other correlation components to reduce the influence of these alerts on their decision process. This paper describes the different issues involved in alert verification and presents a tool that perform real-time verification of attacks detected by an intrusion detection system. The experimental evaluation of the tool shows that verification can dramatically reduce both false and non-relevant alerts.

show abstract

“…A description of the network installation is required and can be, for example, specified in a formal model such as M2D2 [MMDD02] or using hypergraphs [Vi03].…”

Section: Passive Verificationmentioning

confidence: 99%

Using Alert Verification to Identify Successful Intrusion Attempts

Kruegel¹,

Robertson²,

Vigna³

2004

PIK - Praxis der Informationsverarbeitung und Kommunikation

View full text Add to dashboard Cite

show abstract

“…Broadly speaking, these approaches can be divided into several groups: alert aggregation techniques [1,12,13] that cluster similar alerts; the methods focused on detection accuracy improvement [14,15,16] that aim to improve the accuracy of intrusion detection often through filtering of false positive and low-interest alerts; the methods for alert prioritization [17,18,19] that focus on adjusting priority of alerts based on their severity; and alert causality analysis. Since our work employs the alert causality analysis, we will primarily focus on the related work in this area.…”

Section: Related Workmentioning

confidence: 99%

An Online Adaptive Approach to Alert Correlation

Ren

Stakhanova

Ghorbani

2010

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. The current intrusion detection systems (IDSs) generate a tremendous number of intrusion alerts. In practice, managing and analyzing this large number of low-level alerts is one of the most challenging tasks for a system administrator. In this context alert correlation techniques aiming to provide a succinct and high-level view of attacks gained a lot of interest. Although, a variety of methods were proposed, the majority of them address the alert correlation in the off-line setting. In this work, we focus on the online approach to alert correlation. Specifically, we propose a fully automated adaptive approach for online correlation of intrusion alerts in two stages. In the first online stage, we employ a Bayesian network to automatically extract information about the constraints and causal relationships among alerts. Based on the extracted information, we reconstruct attack scenarios on-the-fly providing network administrator with the current network view and predicting the next potential steps of the attacker. Our approach is illustrated using both the well known DARPA 2000 data set and the live traffic data collected from a Honeynet network.

show abstract

“…-In environments with multiple IDSs, some methods enhance the confidence of alerts generated by more than one IDS (based on the assumption that the real attack will be noticed by multiple IDSs, whereas false positives tend to be more random) [32], -Couple sensor alerts with background knowledge to determine whether the attacked system is vulnerable [22,32], -Create groups of alerts and use heuristics to evaluate whether an alert is a false positive [7,45]. The work by Dain and Cunningham [7] is particularly relevant to us as it uses machine learning techniques: neural networks and decision trees to build a classifier grouping alerts into so-called scenarios.…”

Section: Related Workmentioning

confidence: 99%

“…False positives, i.e., alerts that mistakenly indicate security issues and require attention from the intrusion detection analyst, are one of the most important problems faced by intrusion detection today [32]. In fact, it has been estimated that up to 99% of alerts reported by IDSs are not related to security issues [2,4,17].…”

Section: Introductionmentioning

confidence: 99%

Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection

Pietraszek

2004

Lecture Notes in Computer Science

138

View full text Add to dashboard Cite

Abstract. Intrusion Detection Systems (IDSs) are used to monitor computer systems for signs of security violations. Having detected such signs, IDSs trigger alerts to report them. These alerts are presented to a human analyst, who evaluates them and initiates an adequate response. In practice, IDSs have been observed to trigger thousands of alerts per day, most of which are false positives (i.e., alerts mistakenly triggered by benign events). This makes it extremely difficult for the analyst to correctly identify the true positives (i.e., alerts related to attacks). In this paper we describe ALAC, the Adaptive Learner for Alert Classification, which is a novel system for reducing false positives in intrusion detection. The system supports the human analyst by classifying alerts into true positives and false positives. The knowledge of how to classify alerts is learned adaptively by observing the analyst. Moreover, ALAC can be configured to process autonomously alerts that have been classified with high confidence. For example, ALAC may discard alerts that were classified with high confidence as false positive. That way, ALAC effectively reduces the analyst's workload. We describe a prototype implementation of ALAC and the choice of a suitable machine learning technique. Moreover, we experimentally validate ALAC and show how it facilitates the analyst's work.

show abstract

M2D2: A Formal Data Model for IDS Alert Correlation

Cited by 179 publications

References 14 publications

Using Alert Verification to Identify Successful Intrusion Attempts

Using Alert Verification to Identify Successful Intrusion Attempts

An Online Adaptive Approach to Alert Correlation

Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection

Contact Info

Product

Resources

About