Entry Zhou:2007:MNI from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017                Valid HTML 3.2!

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Zhou:2007:MNI,
  author =       "Jingmin Zhou and Mark Heckman and Brennen Reynolds and
                 Adam Carlson and Matt Bishop",
  title =        "Modeling network intrusion detection alerts for
                 correlation",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "1",
  pages =        "4:1--4:??",
  month =        feb,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "https://doi.org/10.1145/1210263.1210267",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:58 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Signature-based network intrusion-detection systems
                 (NIDSs) often report a massive number of simple alerts
                 of low-level security-related events. Many of these
                 alerts are logically involved in a single multi-stage
                 intrusion incident and a security officer often wants
                 to analyze the complete incident instead of each
                 individual simple alert. This paper proposes a
                 well-structured model that abstracts the logical
                 relation between the alerts in order to support
                 automatic correlation of those alerts involved in the
                 same intrusion. The basic building block of the model
                 is a logical formula called a capability. We use
                 capability to abstract consistently and precisely all
                 levels of accesses obtained by the attacker in each
                 step of a multistage intrusion. We then derive
                 inference rules to define logical relations between
                 different capabilities. Based on the model and the
                 inference rules, we have developed several novel alert
                 correlation algorithms and implemented a prototype
                 alert correlator. The experimental results of the
                 correlator using several intrusion datasets demonstrate
                 that the approach is effective in both alert fusion and
                 alert correlation and has the ability to correlate
                 alerts of complex multistage intrusions. In several
                 instances, the alert correlator successfully correlated
                 more than two thousand Snort alerts involved in massive
                 scanning incidents. It also helped us find two
                 multistage intrusions that were missed in auditing by
                 the security officers.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "alert correlation; alert fusion; capability; intrusion
                 detection",
}

Related entries