Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Experimental Results
Summary of Results
Related Work
Conclusion and Future Work
References

Reasoning About Complementary Intrusion Evidence

Profile image of Douglas ReevesDouglas Reeves

2004, 20th Annual Computer Security Applications Conference

https://doi.org/10.1109/CSAC.2004.29
visibility

description

10 pages

link

1 file

Abstract

To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.

Related papers

Cyber Threat Analysis with Structured Probabilistic Argumentation
Guillermo R. Simari

Advances Argumentation Artificial Intelligence, 2019

Capturing the uncertain aspects in cyber threat analyses is an important part of a wide range of e↵orts, including diagnostics, threat evaluation, and preventing attacks. However, there has been insu cient research and development of modeling approaches that are able to correctly capture and handle such uncertainty. In this work, we present an application example of the DeLP3E framework-a formalism that extends structured argumentation based on logic programming-in the domain of cyber threat analysis; in particular, near real-time analyses such as incident response in enterprise networks. The DeLP3E framework provides a unique combination of dialectical reasoning, rule-based inference, and probabilistic modeling to not only o↵er suggested responses to given situations, but also to explain to the analyst why the system reaches its conclusions.

View PDFchevron_right
A Prevention Strategy for Security: A Bayesian Approach to Anomalies Detection
Franco Arcieri

IFIP On-Line Library in Computer Science, 2005

Intrusion detection is one of the new frontiers in network security, but almost every implemented system is in trouble when it has to deal with new kind of attacks or when it has to give a real time response to predefined attacks. In this work, we assert that the way of improving intrusion detection is to consider the semantic aspects of the communication protocols. Furthermore, we analyze an intrusion detection model that tries to reach this goal putting together database logical design rules and new rules from Bayesian reasoning. In the final section, we sketch some application of the model and we show how to implement the model and how to face existing attacks using the model itself.

View PDFchevron_right
Principled reasoning and practical applications of alert fusion in intrusion detection systems
Alvaro Cardenas

Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08, 2008

It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting.

View PDFchevron_right
Techniques and tools for analyzing intrusion alerts
Yun Cui

ACM Transactions on Information and System Security, 2004

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a sequence of techniques to address this issue. The first technique constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, the proposed method correlates alerts by (partially) matching the consequences of s...

View PDFchevron_right
Formal Reasoning About Intrusion Detection Systems
Karl Levitt

Lecture Notes in Computer Science, 2004

Intrusion detection is an appealing approach to improving the security of systems.

View PDFchevron_right
Correlating alerts using prerequisites of intrusions
Douglas Reeves

2001

Intrusion detection has been studied for about twenty years since the Anderson's report. However, intrusion detection techniques are still far from perfect. Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones. In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. The proposed approach identifies the prerequisite (e.g., existence of vulnerable services) and the consequence of each type of attacks, and correlates the corresponding alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. The proposed approach has several advantages. First, it provides a high-level representation of the correlated alerts, and thus reveals the structure of series of attacks. Second, it can reduce the impact of false alerts by only keeping correlated alerts. Third, it can potentially be applied to predict attacks in progress, and allows the intrusion response systems to take appropriate actions to stop the ongoing attacks. Our preliminary experiments have demonstrated the potential of the proposed approach in reducing false alerts and uncovering high-level attack strategies.

View PDFchevron_right
Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory
Kalpana Kumari

2005

Accurate identification of misuse is a key factor in determining appropriate ways to protect systems. Modern intrusion detection systems often use alerts from different sources such as hosts and sub-networks to determine whether and how to respond to an attack. However, alerts from different locations should not be treated equally. We propose improving and assessing alert accuracy by incorporating an algorithm based on the exponentially weighted Dempster-Shafer (D-S) Theory of Evidence. Our approach uses D-S theory to combine beliefs in certain hypotheses under conditions of uncertainty and ignorance, and allows quantitative measurement of the belief and plausibility in our detection results. Our initial evaluations on the DARPA IDS evaluation data set show that our alert fusion algorithm can improve alert quality over those from Hidden Colored Petri-Net (HCPN) based alert correlation components installed at the demilitarized zone (DMZ) and inside network sites. Due to alert confidence fusion in our example, the detection rate rises from 75% to 93.8%, without adversely affecting the false positive rate.

View PDFchevron_right
An Empirical Approach to Modeling Uncertainty in Intrusion Analysis
siva raj

Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, including intrusion detection systems (IDS) and the numerous types of logs. Attackers are essentially invisible in cyber space and those monitoring tools can only observe the symptoms produced by malicious activities, mingled with the same effects produced by non-malicious activities. Thus the conclusions one can draw from these observations inevitably suffer from varying degrees of uncertainty, which is the major source of false positives/false negatives in intrusion analysis. This paper presents a practical approach to modeling such uncertainty so that the various security implications from those low-level observations are captured in a simple logical language augmented with certainty tags. We design an automated reasoning process so that the model can combine multiple sources of system monitoring data and identify highly-confident attack traces from the numerous possible interpretations of low-level observations. We develop our model formulation through studying a true intrusion that happened on a campus network, using a Datalog-like language to encode the model and a Prolog system to carry out the reasoning process. Our model and reasoning system can reach the same conclusions the human administrator did regarding which machines were certainly compromised. We then apply the developed model to the Treasure Hunt (TH) data set, which contains large amounts of system monitoring data collected during a live cyber attack exercise in a graduate course taught at University of California, Santa Barbara. Our results show that the reasoning model developed from the true intrusion is effective to the TH data set as well, and our reasoning system can identify high-confidence attack traces automatically. Such a model thus has the potential of codifying the seemingly ad-hoc human reasoning of uncertain events, and can yield useful tools for automated intrusion analysis.

View PDFchevron_right
Modeling network intrusion detection alerts for correlation
Mark Heckman

ACM Transactions on Information and System Security, 2007

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability . We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator....

View PDFchevron_right
An Application of Evidential Networks to Threat Assessment
Luigi Chisci

IEEE Transactions on Aerospace and Electronic Systems, 2009

Decision makers operating in modern defence theatres need to comprehend and reason with huge quantities of potentially uncertain and imprecise data in a timely fashion. In this paper, an automatic information fusion system is developed which aims at supporting a commander's decision making by providing a threat assessment, that is an estimate of the extent to which an enemy platform poses a threat based on evidence about its intent and capability. Threat is modelled by a network of entities and relationships between them, while the uncertainties in the relationships are represented by belief functions as defined in the theory of evidence. To support the implementation of the threat assessment functionality, an efficient valuation-based reasoning scheme, referred to as an evidential network, is developed. To reduce computational overheads, the scheme performs local computations in the network by applying an inward propagation algorithm to the underlying binary join tree. This allows the dynamic nature of the external evidence, which drives the evidential network, to be taken into account by recomputing only the affected paths in the binary join tree.

View PDFchevron_right

References (31)

  1. checkrootkit. http://www.checkrootkit.org. Ac- cessed on Feb. 4, 2004.
  2. Javabayes. http://www-2.cs.cmu.edu/ ˜javabayes/Home/. Accessed on Oct 10, 2003.
  3. Nessus. http://www.nessus.org. Accessed on Feb. 4, 2004.
  4. Samhain. http://la-samhna.de/samhain/. Ac- cessed on April 4, 2004.
  5. Tripwire. http://www.tripwire.com. Accessed on Feb. 4, 2004.
  6. P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph- based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Se- curity, pages 217-224, November 2002.
  7. F. Cuppens. Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
  8. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
  9. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proc. of Recent Ad- vances in Intrusion Detection (RAID 2000), pages 197-216, September 2000.
  10. O. Dain and R.K. Cunningham. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pages 231-235, June 2001.
  11. O. Dain and R.K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1-13, November 2001.
  12. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85 -103, 2001.
  13. S.T. Eckmann, G. Vigna, and R.A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Jour- nal of Computer Security, 10(1/2):71-104, 2002.
  14. D. Farmer and W. Venema. SATAN: Security administrator tool for analyzing networks. http://142.3.223.54/ ˜short/SECURITY/satan.html.
  15. Fyodor. Nmap free security scanner. http://www. insecure.org/nmap, 2003.
  16. F.V. Jensen. Bayesian Networks and Decision Graphs. Statistics for Engineering and Information Science. Springer, 2001.
  17. K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Se- curity Applications Conference (ACSAC), pages 12-21, De- cember 2001.
  18. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.
  19. MIT Lincoln Lab. 1999 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ ideval/data/1999/1999_data_index.html, 1999.
  20. B. Morin, L. Mé, H. Debar, and M. Ducassé. M2D2: A for- mal data model for IDS alert correlation. In Proceedings of the 5th International Symposium on Recent Advances in In- trusion Detection (RAID 2002), pages 115-137, 2002.
  21. P. Ning, Y. Cui, and D. S Reeves. Constructing attack sce- narios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communica- tions Security, pages 245-254, Washington, D.C., November 2002.
  22. P. Ning, D. Xu, C. Healey, and R. St. Amant. Building at- tack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04), pages 97-111, February 2004.
  23. P.A. Porras, M.W. Fong, and A. Valdes. A mission-impact- based approach to INFOSEC alarm correlation. In Proceed- ings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), pages 95-114, 2002.
  24. M. Roesch. Snort -lightweight intrusion detection for net- works. In Proceedings of the 1999 USENIX LISA confer- ence, 1999.
  25. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Pro- ceedings of IEEE Symposium on Security and Privacy, May 2002.
  26. S. Staniford, J.A. Hoagland, and J.M. McAlerney. Practical automated detection of stealthy portscans. Journal of Com- puter Security, 10(1/2):105-136, 2002.
  27. Tauscan. http://www.agnitum.com/products/ tauscan/.
  28. S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of New Security Paradigms Workshop, pages 31 -38. ACM Press, September 2000.
  29. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001.
  30. X-scan. http://www.xfocus.org.
  31. Y. Zhai, P. Ning, P. Iyer, and D.S. Reeves. Reasoning about complementary intrusion evidence. Technical Report TR- 2004-25, Department of Computer Science, North Carolina State University, 2004.

Related papers

A logic-based model to support alert correlation in intrusion detection
Hervé Debar

Information Fusion, 2009

Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.

View PDFchevron_right
A Model Towards Using Evidence From Security Events For Network Attack Analysis
Changwei Liu

Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy and completeness of the evidence graph, we use Prolog inductive and abductive reasoning to correlate evidence by reasoning the causality, and use an anti-forensics database and a corresponding attack graph to find the missing evidence. In addition, because the constructed scenario and supplied evidence might need to stand up in the court of law, the federal rules of evidence are also taken into account to predetermine the admissibility of the evidence.

View PDFchevron_right
Modified evidence theory for performance enhancement of intrusion detection systems
CIZA THOMAS

2008

Sensor Fusion using heterogeneous Intrusion Detection Systems are employed to aggregate different views of the same event in order to improve the detection through detector reinforcement or complementarity. The fusion technique proposed in this paper is expected to combine the Intrusion Detection System outputs with subjective judgements. In this paper, a new evidence model which is an extension and improvement of the classical Dempster-Shafer theory is proposed. The feasibility of this method is demonstrated via an analysis case study with several simulated detectors using the replayed DARPA data set. The experimental results are validated and a discussion on why and how the new model is useful is provided. The result shows an improvement in the probability of detection along with a reduction in the false alarm rate with the proposed fusion algorithm.

View PDFchevron_right
Efficient Intrusion Detection Using Evidence Theory
Thibault Debatty

arXiv (Cornell University), 2021

Intrusion Detection Systems (IDS) are now an essential element when it comes to securing computers and networks. Despite the huge research efforts done in the field, handling sources' reliability remains an open issue. To address this problem, this paper proposes a novel contextual discounting method based on sources' reliability and their distinguishing ability between normal and abnormal behavior. Dempster-Shafer theory, a general framework for reasoning under uncertainty, is used to construct an evidential classifier. The NSL-KDD dataset, a significantly revised and improved version of the existing KDD-CUP'99 dataset, provides the basis for assessing the performance of our new detection approach. While giving comparable results on the KDDTest+ dataset, our approach outperformed some other state-of-the-art methods on the KDDTest-21 dataset which is more challenging.

View PDFchevron_right
Creating an integrated evidence graph
Changwei Liu

Evidence graphs model network intrusion evidence and their dependencies to help with network forensics analysis. With quantitative metrics, probabilistic evidence graphs provide a way to link probabilities associated with different attack paths with available evidence. Existing work in evidence graphs assumes that all available evidence forms a single evidence graph. We show how to merge different evidence graphs with or without the help of a corresponding attack graph. We show this by providing algorithms and a possible attack scenario towards a file server and a database server in an example network environment. An integrated evidence graph, showing all attacks using global reasoning, is more useful to forensics analysts and network administrators than multiple evidence graphs that use local reasoning.

View PDFchevron_right

Cited by

Real-Time Alert Correlation with Type Graphs
Uwe Aickelin

Lecture Notes in Computer Science, 2008

The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

View PDFchevron_right
CAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks
Tim Yardley

2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)

The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved