Abstract
An algorithm for fusing the alerts produced by multiple heterogeneous intrusion detection systems is presented. The algorithm runs in real-time, combining the alerts into scenarios; each is composed of a sequence of alerts produced by a single actor or organization. The software is capable of discovering scenarios even if stealthy attack methods, such as forged IP addresses or long attack latencies, are employed. The algorithm generates scenarios by estimating the probability that a new alert belongs to a given scenario. Alerts are then added to the most likely candidate scenario. Two alternative probability estimation techniques are compared to an algorithm that builds scenarios using a set of rules. Both probability estimate approaches make use of training data to learn the appropriate probability measures. Our algorithm can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios.
This work was sponsored by the Department of Defense under Air Force contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Air Force.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
DCO N8 conference.LasVegas,NV,2000http://www.defcon.org
E. Amoroso. Intrusion Detection. Intrusion.Net Books, Sparta, New Jersey, 1999.
L. Breiman, J. H. Friedman, R. A. Olshen, and C. J. Stone. Classification and Regression Trees. Wadsworth, Inc., Belmont, California, 1984.
C. Clifton and G. Gengo. Developing custom intrusion detection filters using data mining. In 2000 Military Communications International Symposium, Los Angeles, CA, October 2000.
T. Coleman, M. A. Branch, and A. Grace. Optimization Toolbox for Use with MATLAB. The MathWorks, Inc., 1999.
R. K. Cunningham, R. P. Lippmann, D. Kassay, S. E. Webster, and M. A. Zissman. Host-based bottleneck verification efficiently detects novel computer attacks. In IEEE Military Communications Conference Proceedings, Atlantic City, NJ, 1999.
O. M. Dain and R. K. Cunningham. Building scenarios from a heterogeneous alert stream. In Proceedings of the IEEE SMC Information Assurance Workshop, West Point, NY. June 2001.
B. S. Feinstein and G. A. Matthews. The Intrusion Detection Exchange Protocol (IDXP), August http://www.ietf.org 2001
P. S. Ford, Y. Rekhter, and H.-W. Braun. Improving the routing and addressing of IP. IEEE Network, 7(3):10–15, May 1993.
J. Haines, L. Rossey, and R. Lippmann. Extending the 1999 evaluation. In DISCEX Proceedings, June 2001.
Internet Security Systems. RealSecure console user guide. Atlanta, GA, http://www.iss.net
R. P. Lippman, L. Kukolich, et al. LNKnet: Neural network, machine learning, and statistical software for pattern classification. Lincoln Laboratory Journal, 6(2):249–268, 1993.
T. M. Mitchell. Machine Learning. McGraw-Hill, 1997.
J. Schwartz. Hacker defaces pro-israel web site as the mideast conflict expands into cyberspace. The New York Times, November 3, 2000.
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDSa graph based intrusion detection system for large networks. In 19th National Information Systems Security Conference Proceedings, pages 361–370, October 1996.
A. Valdes and K. Skinner. An approach to sensor correlation. In Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000.
S. Vasile. Automated intrusion detection environment (AIDE). In Joint Aerospace Weapon Systems Sup-port,Sensors,and Simulation Proceedings,June 2000.
B. J. Wood and R. A. Duggan. Red teaming of advanced information assurance concepts. In DISCEX 2000, Hilton Head, South Carolina, January 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer Science+Business Media New York
About this chapter
Cite this chapter
Dain, O., Cunningham, R.K. (2002). Fusing A Heterogeneous Alert Stream Into Scenarios. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_5
Download citation
DOI: https://doi.org/10.1007/978-1-4615-0953-0_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5321-8
Online ISBN: 978-1-4615-0953-0
eBook Packages: Springer Book Archive