ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Sadighian, Alireza; Fernandez, José M.; Lemay, Antoine; Zargar, Saman Taghavi

doi:10.1007/978-3-319-05302-8_10

Cited by 33 publications

(16 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure shows the island‐hopping attack graph. The generated attack graph is also comparable with the attack graphs of the first scenario that was reported in the previous research works such as .…”

Section: Discussionsupporting

confidence: 75%

“…For the other scenarios, we could not have all event types of them because of the problems in logging process, and (4) since being able to evaluate our proposed framework in detecting the complete attack scenario, we should compare our work with the previous works. Some existing works like reported only the results of this attack scenario .…”

Section: Discussionmentioning

confidence: 99%

“…After running the snort IDS on the packet dump of the first attack scenario, island‐hopping attack scenario, 11 unique alert types are generated. The types of the alerts are available at . The main steps of this attack scenario with the corresponding generated alerts are as follows: The attacker constructs a malicious PDF file using Metasploit tool and sets a Meterpreter reverse TCP shell on port 5555.…”

Section: Discussionmentioning

confidence: 99%

See 2 more Smart Citations

Causal knowledge analysis for detecting and modeling multi‐step attacks

Ramaki

Rasoolzadegan

2016

Security Comm Networks

View full text Add to dashboard Cite

In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

Section: Discussionsupporting

confidence: 75%

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Causal knowledge analysis for detecting and modeling multi‐step attacks

Ramaki

Rasoolzadegan

2016

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…Cuppens and Ortalo (2000); Cheung et al (2003); Steven Eckmann (2002); Cédric Michel (2001) proposed LAMBDA, CAML, STATL, and ADELE respectively. More recent work in case-based models include work by Zali et al (2013) and Alireza Sadighian (2013). Although these provide high-quality correlations capturing known attacks, their limitation is that they are difficult to implement and maintain on large-scale complex networks.…”

Section: Related Workmentioning

confidence: 99%

Intrusion alert prioritisation and attack detection using post-correlation analysis

Shittu

Healing

Ghanea-Hercock

et al. 2015

Computers & Security

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version.Permanent repository link: http://openaccess.city.ac.uk/8680/ Link to published version: http://dx. AbstractEvent Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom SATURN programme. In one scenario, our results show that falsepositives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.The proposed framework is also being developed and integrated into a preexisting Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.

show abstract

“…Timely investigation of system intrusions remains a notoriously difficult challenge [66,94,96]. While security monitoring tools provide an initial notification of foul play [13,41,86,91,95,97], these indicators are rarely sufficient in and of themselves. Instead, crafting an appropriate response to a security incident often requires scouring terabytes of audit logs to determine an adversary's method of entry, how their reach spread through the system, and their ultimate mission objective.…”

Section: Introductionmentioning

confidence: 99%

Runtime Analysis of Whole-System Provenance

Pasquier

Han

Moyer

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security. * Part of this work was completed at Harvard University and at the University of Cambridge.

show abstract

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Cited by 33 publications

References 5 publications

Causal knowledge analysis for detecting and modeling multi‐step attacks

Causal knowledge analysis for detecting and modeling multi‐step attacks

Intrusion alert prioritisation and attack detection using post-correlation analysis

Runtime Analysis of Whole-System Provenance

Contact Info

Product

Resources

About